ithewei · Copilot · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/base/hmath.h b/base/hmath.h
@@ -92,7 +92,7 @@ static inline int asn1_encode(long long value, unsigned char* buf) {
         *p = (unsigned char)value;
         return 3;
     }
-    else if (value < 16777126)
+    else if (value < 16777216)
     {
         *p = 0x83;
         p++;

diff --git a/event/unpack.c b/event/unpack.c
@@ -157,7 +157,14 @@ int hio_unpack_by_length_field(hio_t* io, void* buf, int readbytes) {
             hio_close(io);
             return -1;
         }
-        package_len = head_len + body_len + setting->length_adjustment;
+        int signed_package_len = (int)head_len + (int)body_len + setting->length_adjustment;
+        if (signed_package_len <= 0 || signed_package_len > (int)setting->package_max_length) {
+            hloge("Invalid package length %d!", signed_package_len);
+            io->error = ERR_OVER_LIMIT;
+            hio_close(io);
+            return -1;
+        }
+        package_len = (unsigned int)signed_package_len;
         if (remain >= package_len) {
             hio_read_cb(io, (void*)p, package_len);
             handled += package_len;

diff --git a/mqtt/mqtt_client.c b/mqtt/mqtt_client.c
@@ -8,7 +8,8 @@
 
 static unsigned short mqtt_next_mid() {
     static unsigned short s_mid = 0;
-    return ++s_mid;
+    if (++s_mid == 0) s_mid = 1;
+    return s_mid;
 }
 
 static int mqtt_client_send(mqtt_client_t* cli, const void* buf, int len) {
@@ -231,6 +232,7 @@ static void mqtt_client_add_reconnect_timer(mqtt_client_t* cli) {
 
 static void on_close(hio_t* io) {
     mqtt_client_t* cli = (mqtt_client_t*)hevent_userdata(io);
+    if (cli == NULL) return;
     cli->connected = 0;
     if (cli->cb) {
         cli->head.type = MQTT_TYPE_DISCONNECT;

diff --git a/mqtt/mqtt_protocol.c b/mqtt/mqtt_protocol.c
@@ -11,6 +11,7 @@ int mqtt_head_pack(mqtt_head_t* head, unsigned char buf[]) {
 }
 
 int mqtt_head_unpack(mqtt_head_t* head, const unsigned char* buf, int len) {
+    if (len < 2) return 0;
     head->type   = (buf[0] >> 4) & 0x0F;
     head->dup    = (buf[0] >> 3) & 0x01;
     head->qos    = (buf[0] >> 1) & 0x03;