net: mqtt: Improve buffer bounds validation in mqtt_read_message_chunk

Verify more strictly that data read from the transport fits into RX
buffer. Switch to unsigned integers, where possible, to prevent
unnecessary signed/unsigned operations.

Signed-off-by: Robert Lubos <[email protected]>

Author: rlubos

subsys/net/lib/mqtt/mqtt_rx.c

@@ -140,20 +140,23 @@ static int mqtt_handle_packet(struct mqtt_client *client,
 static int mqtt_read_message_chunk(struct mqtt_client *client,
 				   struct buf_ctx *buf, u32_t length)
 {
-	int remaining;
+	u32_t remaining;
 	int len;
 
+	/* In case all data requested has already been buffered, return. */
+	if (length <= (buf->end - buf->cur)) {
+		return 0;
+	}
+
 	/* Calculate how much data we need to read from the transport,
 	 * given the already buffered data.
 	 */
 	remaining = length - (buf->end - buf->cur);
-	if (remaining <= 0) {
-		return 0;
-	}
 
 	/* Check if read does not exceed the buffer. */
-	if (buf->end + remaining > client->rx_buf + client->rx_buf_size) {
-		MQTT_ERR("[CID %p]: Buffer too small to receive the message",
+	if ((buf->end + remaining > client->rx_buf + client->rx_buf_size) ||
+	    (buf->end + remaining < client->rx_buf)) {
+		MQTT_ERR("[CID %p]: Read would exceed RX buffer bounds.",
 			 client);
 		return -ENOMEM;
 	}