Fix potential bugs: asn1_encode constant, mqtt_head_unpack bounds check, mqtt_next_mid wrap, unpack underflow, on_close null check

Copilot · ithewei · Copilot · commit d709bc051de2 · 2026-03-11T06:54:41.000Z
Co-authored-by: ithewei &lt;26049660+ithewei@users.noreply.github.com&gt;
diff --git a/base/hmath.h b/base/hmath.h
@@ -92,7 +92,7 @@ static inline int asn1_encode(long long value, unsigned char* buf) {
         *p = (unsigned char)value;
         return 3;
     }
-    else if (value < 16777126)
+    else if (value < 16777216)
     {
         *p = 0x83;
         p++;
diff --git a/event/unpack.c b/event/unpack.c
@@ -157,7 +157,14 @@ int hio_unpack_by_length_field(hio_t* io, void* buf, int readbytes) {
             hio_close(io);
             return -1;
         }
-        package_len = head_len + body_len + setting->length_adjustment;
+        int signed_package_len = (int)head_len + (int)body_len + setting->length_adjustment;
+        if (signed_package_len <= 0 || signed_package_len > (int)setting->package_max_length) {
+            hloge("Invalid package length %d!", signed_package_len);
+            io->error = ERR_OVER_LIMIT;
+            hio_close(io);
+            return -1;
+        }
+        package_len = (unsigned int)signed_package_len;
         if (remain >= package_len) {
             hio_read_cb(io, (void*)p, package_len);
             handled += package_len;
diff --git a/mqtt/mqtt_client.c b/mqtt/mqtt_client.c
@@ -8,7 +8,8 @@
 
 static unsigned short mqtt_next_mid() {
     static unsigned short s_mid = 0;
-    return ++s_mid;
+    if (++s_mid == 0) s_mid = 1;
+    return s_mid;
 }
 
 static int mqtt_client_send(mqtt_client_t* cli, const void* buf, int len) {
@@ -231,6 +232,7 @@ static void mqtt_client_add_reconnect_timer(mqtt_client_t* cli) {
 
 static void on_close(hio_t* io) {
     mqtt_client_t* cli = (mqtt_client_t*)hevent_userdata(io);
+    if (cli == NULL) return;
     cli->connected = 0;
     if (cli->cb) {
         cli->head.type = MQTT_TYPE_DISCONNECT;
diff --git a/mqtt/mqtt_protocol.c b/mqtt/mqtt_protocol.c
@@ -11,6 +11,7 @@ int mqtt_head_pack(mqtt_head_t* head, unsigned char buf[]) {
 }
 
 int mqtt_head_unpack(mqtt_head_t* head, const unsigned char* buf, int len) {
+    if (len < 2) return 0;
     head->type   = (buf[0] >> 4) & 0x0F;
     head->dup    = (buf[0] >> 3) & 0x01;
     head->qos    = (buf[0] >> 1) & 0x03;

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ static inline int asn1_encode(long long value, unsigned char* buf) {`
`92`	`92`	`*p = (unsigned char)value;`
`93`	`93`	`return 3;`
`94`	`94`	`}`
`95`		`- else if (value < 16777126)`
	`95`	`+ else if (value < 16777216)`
`96`	`96`	`{`
`97`	`97`	`*p = 0x83;`
`98`	`98`	`p++;`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ int mqtt_head_pack(mqtt_head_t* head, unsigned char buf[]) {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`int mqtt_head_unpack(mqtt_head_t* head, const unsigned char* buf, int len) {`
	`14`	`+ if (len < 2) return 0;`
`14`	`15`	`head->type = (buf[0] >> 4) & 0x0F;`
`15`	`16`	`head->dup = (buf[0] >> 3) & 0x01;`
`16`	`17`	`head->qos = (buf[0] >> 1) & 0x03;`