From 2a6354b07d476b2d8b6ad862e655b33e8ce19efa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
Date: Mon, 7 Jan 2019 16:05:01 +0100
Subject: [PATCH] asymcute: check for minimum packet length early

Without this patch _len_get reads one byte beyond the con->rxbuf
if the incoming packet consists only of the byte 0x01.
---
 sys/net/application_layer/asymcute/asymcute.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/net/application_layer/asymcute/asymcute.c b/sys/net/application_layer/asymcute/asymcute.c
index 983d3ff15c..b3379820e8 100644
--- a/sys/net/application_layer/asymcute/asymcute.c
+++ b/sys/net/application_layer/asymcute/asymcute.c
@@ -516,6 +516,10 @@ static void _on_unsuback(asymcute_con_t *con, const uint8_t *data, size_t len)
 
 static void _on_data(asymcute_con_t *con, size_t pkt_len, sock_udp_ep_t *remote)
 {
+    if (pkt_len < 2) {
+        return;
+    }
+
     size_t len;
     size_t pos = _len_get(con->rxbuf, &len);
 
@@ -524,8 +528,7 @@ static void _on_data(asymcute_con_t *con, size_t pkt_len, sock_udp_ep_t *remote)
         return;
     }
     /* validate incoming data: verify message length */
-    if ((pkt_len < 2) ||
-        (pkt_len <= pos) || (pkt_len < len)) {
+    if ((pkt_len <= pos) || (pkt_len < len)) {
         /* length field of MQTT-SN packet seems to be invalid -> drop the pkt */
         return;
     }
-- 
GitLab