From ae2986cdf0c3177f7ed77f491b8ed084420ad46a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 10 Jun 2026 13:52:13 +0200
Subject: [PATCH] mqtt: return error on truncated Remaining Length

Pointed out by: Zeropath

Closes #21949
---
 lib/mqtt.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/mqtt.c b/lib/mqtt.c
index 1137909454..adbb3ebc44 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -602,9 +602,9 @@ fail:
   return result;
 }
 
-/* return 0 on success, non-zero on error */
-static int mqtt_decode_len(size_t *lenp, const unsigned char *buf,
-                           size_t buflen)
+/* return FALSE on success, TRUE on error */
+static bool mqtt_decode_len(size_t *lenp, const unsigned char *buf,
+                            size_t buflen)
 {
   size_t len = 0;
   size_t mult = 1;
@@ -613,14 +613,17 @@ static int mqtt_decode_len(size_t *lenp, const unsigned char *buf,
 
   for(i = 0; (i < buflen) && (encoded & 128); i++) {
     if(i == 4)
-      return 1; /* bad size */
+      return TRUE; /* bad size */
     encoded = buf[i];
     len += (encoded & 127) * mult;
     mult *= 128;
   }
+  if(encoded & 128)
+    /* truncated size */
+    return TRUE;
 
   *lenp = len;
-  return 0;
+  return FALSE;
 }
 
 #if defined(DEBUGBUILD) && defined(CURLVERBOSE)