From 66daf4593b00a1d1e6819b112d0e9623d8068aa8 Mon Sep 17 00:00:00 2001 From: TristanInSec Date: Tue, 26 May 2026 15:06:40 -0400 Subject: [PATCH] in_mqtt: fix OOB read from hardcoded remaining length overhead The MQTT packet parser used hardcoded +2/-2 to account for the fixed header size (1 type byte + 1 remaining-length byte). This is only correct when the remaining length fits in a single byte (0-127). For remaining lengths 128+, the encoding uses 2-4 bytes, making the actual overhead 3-5 bytes. Replace the constant with the computed header size (buf_pos - pos + 1) so the bounds checks account for the actual number of remaining-length bytes consumed. Signed-off-by: Tristan --- plugins/in_mqtt/mqtt_prot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/in_mqtt/mqtt_prot.c b/plugins/in_mqtt/mqtt_prot.c index e7af1aeb6a3..a056346c8b4 100644 --- a/plugins/in_mqtt/mqtt_prot.c +++ b/plugins/in_mqtt/mqtt_prot.c @@ -416,7 +416,7 @@ int mqtt_prot_parser(struct mqtt_conn *conn) return MQTT_ERROR; } - if (length + 2 > (conn->buf_len - pos)) { + if (length + (conn->buf_pos - pos + 1) > (conn->buf_len - pos)) { conn->buf_pos = pos; flb_plg_trace(ctx->ins, "[fd=%i] Need more data", conn->connection->fd); @@ -424,7 +424,7 @@ int mqtt_prot_parser(struct mqtt_conn *conn) } if ((BUFC() & 128) == 0) { - if (conn->buf_len - 2 < length) { + if (conn->buf_len - (conn->buf_pos - pos + 1) < length) { conn->buf_pos = pos; flb_plg_trace(ctx->ins, "[fd=%i] Need more data", conn->connection->fd);