From 7d6180f10a184a23e48f2d7db9bc2ff62b8e5ba6 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Mon, 27 Sep 2021 14:48:17 +0800 Subject: [PATCH] fix(frame): variable byte integer could be larger than 4 bytes. --- apps/emqx/src/emqx_frame.erl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/emqx/src/emqx_frame.erl b/apps/emqx/src/emqx_frame.erl index 11e39fce6..dab987f60 100644 --- a/apps/emqx/src/emqx_frame.erl +++ b/apps/emqx/src/emqx_frame.erl @@ -75,6 +75,8 @@ -define(PARSE_ERR(Reason), ?THROW_FRAME_ERROR(Reason)). +-define(MULTIPLIER_MAX, 16#200000). + -dialyzer({no_match, [serialize_utf8_string/2]}). %% @doc Describe state for logging. @@ -159,7 +161,7 @@ parse_remaining_len(<<0:8, Rest/binary>>, Header, 1, 0, Options) -> parse_remaining_len(<<0:1, 2:7, Rest/binary>>, Header, 1, 0, Options) -> parse_frame(Rest, Header, 2, Options); parse_remaining_len(<<1:1, _Len:7, _Rest/binary>>, _Header, Multiplier, _Value, _Options) - when Multiplier > 2097152 -> + when Multiplier > ?MULTIPLIER_MAX -> ?PARSE_ERR(malformed_variable_byte_integer); parse_remaining_len(<<1:1, Len:7, Rest/binary>>, Header, Multiplier, Value, Options) -> parse_remaining_len(Rest, Header, Multiplier * ?HIGHBIT, Value + Len * Multiplier, Options); @@ -446,6 +448,9 @@ parse_property(<<16#2A, Val, Bin/binary>>, Props) -> parse_variable_byte_integer(Bin) -> parse_variable_byte_integer(Bin, 1, 0). +parse_variable_byte_integer(<<1:1, _Len:7, _Rest/binary>>, Multiplier, _Value) + when Multiplier > ?MULTIPLIER_MAX -> + ?PARSE_ERR(malformed_variable_byte_integer); parse_variable_byte_integer(<<1:1, Len:7, Rest/binary>>, Multiplier, Value) -> parse_variable_byte_integer(Rest, Multiplier * ?HIGHBIT, Value + Len * Multiplier); parse_variable_byte_integer(<<0:1, Len:7, Rest/binary>>, Multiplier, Value) ->