mqtt: handle POST/PUBLISH without a set POSTFIELDSIZE

Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28735 Added test 1916 and 1917 to verify. Closes #6338
author: Daniel Stenberg <daniel@haxx.se> 2020-12-17 13:34:38 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2020-12-18 12:54:05 +0100
commit: debf23eead5a67b82bae668929c798196a42adc3 (patch)
tree: 4161cb9af5e7ccb8638c89e63dfb6fbac9c8d6d5 /lib
parent: 92fe66c5109211519df1ef32d752dbecc34e53c7 (diff)
download: curl-debf23eead5a67b82bae668929c798196a42adc3.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/mqtt.c b/lib/mqtt.c
index a56c7d5eb..71a00cfc2 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -319,7 +319,7 @@ static CURLcode mqtt_publish(struct connectdata *conn)
 {
   CURLcode result;
   char *payload = conn->data->set.postfields;
-  size_t payloadlen = (size_t)conn->data->set.postfieldsize;
+  size_t payloadlen;
   char *topic = NULL;
   size_t topiclen;
   unsigned char *pkt = NULL;
@@ -327,6 +327,14 @@ static CURLcode mqtt_publish(struct connectdata *conn)
   size_t remaininglength;
   size_t encodelen;
   char encodedbytes[4];
+  curl_off_t postfieldsize = conn->data->set.postfieldsize;
+
+  if(!payload)
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+  if(postfieldsize < 0)
+    payloadlen = strlen(payload);
+  else
+    payloadlen = (size_t)postfieldsize;
 
   result = mqtt_get_topic(conn, &topic, &topiclen);
   if(result)
author	Daniel Stenberg <daniel@haxx.se>	2020-12-17 13:34:38 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2020-12-18 12:54:05 +0100
commit	debf23eead5a67b82bae668929c798196a42adc3 (patch)
tree	4161cb9af5e7ccb8638c89e63dfb6fbac9c8d6d5 /lib
parent	92fe66c5109211519df1ef32d752dbecc34e53c7 (diff)
download	curl-debf23eead5a67b82bae668929c798196a42adc3.tar.gz