From 1a1478551e49d52953362cd8154c04ec07ee1e32 Mon Sep 17 00:00:00 2001
From: Dirk Ziegelmeier <dirk@ziegelmeier.net>
Date: Mon, 13 Nov 2017 22:29:25 +0100
Subject: [PATCH] Fix bug #52345: MQTT buffer length check seems wrong (for
 empty payload in publish message)

---
 src/apps/mqtt/mqtt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/apps/mqtt/mqtt.c b/src/apps/mqtt/mqtt.c
index b03987cd..32278e27 100644
--- a/src/apps/mqtt/mqtt.c
+++ b/src/apps/mqtt/mqtt.c
@@ -716,7 +716,7 @@ mqtt_message_received(mqtt_client_t *client, u8_t fixed_hdr_idx, u16_t length, u
       topic = var_hdr_payload + 2;
       after_topic = 2 + topic_len;
       /* Check length, add one byte even for QoS 0 so that zero termination will fit */
-      if ((after_topic + (qos ? 2 : 1)) > length) {
+      if ((after_topic + (qos ? 2 : 1)) > (MQTT_VAR_HEADER_BUFFER_LEN - fixed_hdr_idx)) {
         LWIP_DEBUGF(MQTT_DEBUG_WARN, ("mqtt_message_received: Receive buffer can not fit topic + pkt_id\n"));
         goto out_disconnect;
       }