1
0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-18 12:52:44 +01:00
Commit Graph

14 Commits

Author SHA1 Message Date
Hauke Petersen
3b424858de net/emcute: fix buffer overflow in _willupd_msg() 2020-09-22 11:43:00 +02:00
Marian Buschsieweke
3b6fa61829
sys: Cleanup access to internal variables
Replace direct accesses to sched_active_thread and sched_active_pid with
the helper functions thread_getpid() and thread_get_active(). This serves
two purposes:

1. It makes accidental writes to those variable from outside core less likely.
2. Casting off the volatile qualifier is now well contained to those two
   functions
2020-08-24 20:28:11 +02:00
Martine Lenders
9d0faa9e5f
Merge pull request #11957 from miri64/emcute/fix/payload-copy-error
emcute: fix payload copy error for emcute_pub
2019-10-07 17:17:44 +02:00
Martine Lenders
999a7714b0
Merge pull request #12382 from nmeum/pr/asymcute_continue
emcute: never return from receive loop
2019-10-07 16:28:09 +02:00
Sören Tempel
74e19d451c emcute: never return from receive loop
Without this change an attacker would be able to stop the emcute server
by sending a crafted packet triggering this branch. The solution is
using `continue` instead of `return`.
2019-10-07 15:12:20 +02:00
Martine S. Lenders
89afc378a9 emcute: fix length field calculation
The length field in an MQTT packet carries the _total_ length of the
packet. If it is below 256 (i.e. fits in one byte) only one byte is
used for the length field. If it is larger than that 3 bytes are used,
with the first byte having the value `0x01` and the remaining bytes
representing the length in as a 2 byte unsigned integer in network byte
order. Resulting from that it can be assessed that the check in
`emcutes`'s `set_len()` function is wrong as it needs to be checked if
`len` is lesser or equal to `0xff - 1`. `len <= (0xff - 1)` can be
simplified to `len < 0xff`. For some larger packages this safes 2 bytes
of wasted packet space.
2019-08-05 13:08:20 +02:00
Martine S. Lenders
10a3f3e8ed emcute: fix payload copy error for emcute_pub
`len` is used with the `memcpy()` to copy the payload to `tbuf`. With a
payload provided that is just long enough to fill `tbuf`, `len += 6`
leads to the `memcpy()` overriding data after `tbuf` (e.g. the
`mutex` that is unlocked right after) and thus resulting in potential
segmentation faults.
Additionally `+ 6` can only be applied if the total packet length is
below 256 (see spec), so `len + pos` is what needs to be provided to the
corresponding send functions instead (`pos` adapts to the header length
of the PUBLISH message).
2019-08-05 13:07:15 +02:00
Hauke Petersen
eb50d4704a net/emcute: make cli ID conform to standard 2019-07-04 11:04:22 +02:00
Hauke Petersen
1bfb3c8534 net/emcute: adapted to changes byteorder functions 2018-07-04 17:41:04 +02:00
Hauke Petersen
36ecaa6e4b net/emcute: use global byteorder functions 2018-06-07 12:10:58 +02:00
Hauke Petersen
7f2fb5e0a3 net/emcute: use correct number of retries
syncsend() is used also for the initial packet, so resending
while (retries <= EMCUTE_N_RETRY) is the correct behavior.
2018-05-28 11:41:20 +02:00
Hauke Petersen
91ff52a897 net/emcute: use size_t for length comparisons 2017-06-28 22:52:34 +02:00
Hauke Petersen
ae367e5537 net/emcute: check value of length field before use 2017-06-28 22:51:39 +02:00
Hauke Petersen
bb71986ecf net: added emCute - introducing MQTT-SN support 2017-02-28 16:58:29 +01:00