From b7a13918c97a3520eba1cad2dbb949a463f8bb3d Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Thu, 18 Apr 2019 00:04:30 +0200 Subject: [PATCH] fix malformed packet --- parser.js | 1 + test.js | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/parser.js b/parser.js index 366ba27..cd15383 100644 --- a/parser.js +++ b/parser.js @@ -265,6 +265,7 @@ Parser.prototype._parseSubscribe = function () { topic = this._parseString() if (topic === null) return this._emitError(new Error('Cannot parse topic')) + if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload')) qos = this._list.readUInt8(this._pos++) // Push pair to subscriptions diff --git a/test.js b/test.js index 75a57df..d4e5494 100644 --- a/test.js +++ b/test.js @@ -1168,6 +1168,17 @@ testParseError('Cannot parse protocolId', Buffer.from([ 77, 81, 73, 115, 100, 112 ])) +// When a Subscribe packet contains a topic_filter and the given +// length is topic_filter.length + 1 then the last byte (requested QoS) is interpreted as topic_filter +// reading the requested_qos at the end causes 'Index out of range' read +testParseError('Malformed Subscribe Payload', Buffer.from([ + 130, 14, // subscribe header and remaining length + 0, 123, // packet ID + 0, 10, // topic filter length + 104, 105, 106, 107, 108, 47, 109, 110, 111, // topic filter with length of 9 bytes + 0 // requested QoS +])) + test('stops parsing after first error', function (t) { t.plan(4)