From a11208b307e54908a0853a0d9ea81b11367890bd Mon Sep 17 00:00:00 2001 From: JimMoen Date: Fri, 12 Nov 2021 11:31:35 +0800 Subject: [PATCH] fix(frame): variable byte num not limited in 4 bytes --- src/emqx.appup.src | 8 +++++++- src/emqx_frame.erl | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/emqx.appup.src b/src/emqx.appup.src index 2e9c125c8..2c0d887f8 100644 --- a/src/emqx.appup.src +++ b/src/emqx.appup.src @@ -1,4 +1,4 @@ -%% -*-: erlang -*- +%% -*- mode: erlang -*- {VSN, [ @@ -92,6 +92,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.5">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_session, brutal_purge, soft_purge, []}, {load_module, emqx_congestion, brutal_purge, soft_purge, []}, @@ -110,6 +111,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.[6-7]">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_connection, brutal_purge, soft_purge, []}, {load_module, emqx_ws_connection, brutal_purge, soft_purge, []}, @@ -121,6 +123,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.8">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_connection, brutal_purge, soft_purge, []}, {load_module, emqx_cm, brutal_purge, soft_purge, []} @@ -218,6 +221,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.5">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_session, brutal_purge, soft_purge, []}, {load_module, emqx_congestion, brutal_purge, soft_purge, []}, @@ -236,6 +240,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.[6-7]">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_connection, brutal_purge, soft_purge, []}, {load_module, emqx_ws_connection, brutal_purge, soft_purge, []}, @@ -247,6 +252,7 @@ {load_module,emqx_misc,brutal_purge,soft_purge,[]} ]}, {<<"4.2.8">>, [ + {load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_connection, brutal_purge, soft_purge, []}, {load_module, emqx_cm, brutal_purge, soft_purge, []} diff --git a/src/emqx_frame.erl b/src/emqx_frame.erl index 94fbda4b7..7caa92ea8 100644 --- a/src/emqx_frame.erl +++ b/src/emqx_frame.erl @@ -67,6 +67,8 @@ version => ?MQTT_PROTO_V4 }). +-define(MULTIPLIER_MAX, 16#200000). + -dialyzer({no_match, [serialize_utf8_string/2]}). %%-------------------------------------------------------------------- @@ -142,7 +144,7 @@ parse_remaining_len(<<0:8, Rest/binary>>, Header, 1, 0, Options) -> parse_remaining_len(<<0:1, 2:7, Rest/binary>>, Header, 1, 0, Options) -> parse_frame(Rest, Header, 2, Options); parse_remaining_len(<<1:1, _Len:7, _Rest/binary>>, _Header, Multiplier, _Value, _Options) - when Multiplier > 2097152 -> + when Multiplier > ?MULTIPLIER_MAX -> error(malformed_variable_byte_integer); parse_remaining_len(<<1:1, Len:7, Rest/binary>>, Header, Multiplier, Value, Options) -> parse_remaining_len(Rest, Header, Multiplier * ?HIGHBIT, Value + Len * Multiplier, Options); @@ -411,6 +413,9 @@ parse_property(<<16#2A, Val, Bin/binary>>, Props) -> parse_variable_byte_integer(Bin) -> parse_variable_byte_integer(Bin, 1, 0). +parse_variable_byte_integer(<<1:1, _Len:7, _Rest/binary>>, Multiplier, _Value) + when Multiplier > ?MULTIPLIER_MAX -> + error(malformed_variable_byte_integer); parse_variable_byte_integer(<<1:1, Len:7, Rest/binary>>, Multiplier, Value) -> parse_variable_byte_integer(Rest, Multiplier * ?HIGHBIT, Value + Len * Multiplier); parse_variable_byte_integer(<<0:1, Len:7, Rest/binary>>, Multiplier, Value) ->