RIOT-OS
asymcute: fix one byte out-of-bounds access in _len_get
Contribution description
As per Section 5.2.1 of the MQTT-SN specification, the MQTT-SN length header is either 1- or 3-octet long. If it is 3-octet long then the first octet is 0x01. The asymcute implementation currently only checks that the incoming packet is at least 2-octet long before attempting to parse it (MIN_PKT_LEN):
https://github.com/RIOT-OS/RIOT/blob/4dcb8edcc8f985ba25f83cccf0a7c8d2ceee74f2/sys/net/application_layer/asymcute/asymcute.c#L578
However, if the first octet is 0x01 the packet must be more than 3 octet long in order to be valid. Since asymcute does not check this it reads one octet beyond the packet data (via byteorder_bebuftohs which reads a uint16_t in _len_get) for a 2-octet packet where the first octet has the value 0x01. This commit fixes this issue by adding an additional sanity check to _len_get.
Testing procedure
I think this should (hopefully) be obvious from reading the code and comparing consulting the aforementioned section in the MQTT-SN specification.
Also note that emcute has an explicit check for this:
https://github.com/RIOT-OS/RIOT/blob/b0f4781e1547357c5fbe5256f940c95b324a711c/sys/net/application_layer/emcute/emcute.c#L531-L534
Issues/PRs references
None.
:exclamation: This may cause a semantic merge conflict with https://github.com/RIOT-OS/RIOT/pull/18434, once that is merged: _get_len() gains another parameter, so only trust Murdock if it has successfully build both with either of one in master (and check if the master Murdock used includes the other PR).
This will now need a rebase anyway
Rebased and made the necessary adjustments for the _len_get function prototype.