From 8f2a50867bb83e17ce1deee1f7a78f246ee7bea5 Mon Sep 17 00:00:00 2001
From: goyalpalak18 <goyalpalak1806@gmail.com>
Date: Mon, 23 Feb 2026 09:44:03 +0530
Subject: [PATCH] fix: crash in readPublish when payload is 1 byte

When payloadLen is 1, subtracting 2 from a uint32_t wraps around
to 0xFFFFFFFF and writes a null byte way out of bounds, crashing
the process. Removed the -2 and unified copyLen for both the
memcpy and the null terminator.

Signed-off-by: goyalpalak18 <goyalpalak1806@gmail.com>
---
 servers/mqtt_pit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/servers/mqtt_pit.c b/servers/mqtt_pit.c
index 13bff74..a05ad66 100644
--- a/servers/mqtt_pit.c
+++ b/servers/mqtt_pit.c
@@ -391,8 +391,8 @@ void readPublish(uint8_t* buffer, uint32_t packetEnd, uint32_t offset, enum Mqtt
 
     char payload[512] = {0};
     uint32_t payloadLen = packetEnd - offset;
-    uint32_t copyLen = payloadLen < sizeof(payload) - 1 ? payloadLen - 2: sizeof(payload) - 1;
-    memcpy(payload, &buffer[offset], payloadLen < 511 ? payloadLen : 511);
+    uint32_t copyLen = payloadLen < sizeof(payload) - 1 ? payloadLen : sizeof(payload) - 1;
+    memcpy(payload, &buffer[offset], copyLen);
     payload[copyLen] = '\0';
 
     char msg[256];