Fixed unsafe string dup behaviour.

include/nng/mqtt/mqtt_client.h

@@ -484,7 +484,7 @@ NNG_DECL void nng_mqtt_topic_array_set(nng_mqtt_topic *, size_t, const char *);
 NNG_DECL void nng_mqtt_topic_array_free(nng_mqtt_topic *, size_t);
 NNG_DECL nng_mqtt_topic_qos *nng_mqtt_topic_qos_array_create(size_t);
 NNG_DECL void nng_mqtt_topic_qos_array_set(nng_mqtt_topic_qos *, size_t,
-           const char *, uint8_t, uint8_t, uint8_t, uint8_t);
+           const char *, uint32_t, uint8_t, uint8_t, uint8_t, uint8_t);
 NNG_DECL void nng_mqtt_topic_qos_array_free(nng_mqtt_topic_qos *, size_t);
 NNG_DECL int  nng_mqtt_set_connect_cb(nng_socket, nng_pipe_cb, void *);
 NNG_DECL int  nng_mqtt_set_disconnect_cb(nng_socket, nng_pipe_cb, void *);

src/supplemental/mqtt/mqtt_codec.c

@@ -597,6 +597,7 @@ dup_subscribe(nni_mqtt_proto_data *dest, nni_mqtt_proto_data *src)
 	for (size_t i = 0; i < src->payload.subscribe.topic_count; i++) {
 		nni_mqtt_topic_qos_array_set(dest->payload.subscribe.topic_arr,
 		    i, (const char *) src->payload.subscribe.topic_arr[i].topic.buf,
+		    src->payload.subscribe.topic_arr[i].topic.length,
 		    src->payload.subscribe.topic_arr[i].qos,
 			src->payload.subscribe.topic_arr[i].nolocal,
 			src->payload.subscribe.topic_arr[i].rap,

src/supplemental/mqtt/mqtt_msg.c

@@ -385,7 +385,7 @@ nni_mqtt_msg_set_subscribe_topics(
 	for (size_t i = 0; i < topic_count; i++) {
 		nni_mqtt_topic_qos_array_set(
 		    proto_data->payload.subscribe.topic_arr, i,
-		    (const char *) topics[i].topic.buf, topics[i].qos,
+		    (const char *) topics[i].topic.buf, topics[i].topic.length, topics[i].qos,
 			topics[i].nolocal, topics[i].rap, topics[i].retain_handling);
 	}
 }
@@ -828,10 +828,11 @@ nni_mqtt_topic_qos_array_create(size_t n)
 
 void
 nni_mqtt_topic_qos_array_set(nni_mqtt_topic_qos *topic_qos, size_t index,
-    const char *topic_name, uint8_t qos, uint8_t nl, uint8_t rap, uint8_t rh)
+    const char *topic_name, uint32_t len, uint8_t qos, uint8_t nl, uint8_t rap, uint8_t rh)
 {
-	topic_qos[index].topic.buf       = (uint8_t *) nni_strdup(topic_name);
-	topic_qos[index].topic.length    = (uint32_t) strlen(topic_name);
+	topic_qos[index].topic.buf       = (uint8_t *) nni_alloc(len * sizeof(uint8_t));
+	memcpy(topic_qos[index].topic.buf, topic_name, len);
+	topic_qos[index].topic.length    = len;
 	topic_qos[index].qos             = qos;
 	topic_qos[index].nolocal         = nl;
 	topic_qos[index].rap             = rap;
@@ -842,7 +843,7 @@ void
 nni_mqtt_topic_qos_array_free(nni_mqtt_topic_qos *topic_qos, size_t n)
 {
 	for (size_t i = 0; i < n; i++) {
-		nni_strfree((char *) topic_qos[i].topic.buf);
+		nni_free(topic_qos[i].topic.buf, topic_qos[i].topic.length);
 		topic_qos[i].topic.length = 0;
 	}
 	NNI_FREE_STRUCTS(topic_qos, n);

src/supplemental/mqtt/mqtt_msg.h

@@ -444,7 +444,7 @@ NNG_DECL void nni_mqtt_topic_array_free(nni_mqtt_topic *, size_t);
 // mqtt topic_qos create/free/set
 NNG_DECL nni_mqtt_topic_qos *nni_mqtt_topic_qos_array_create(size_t);
 NNG_DECL void nni_mqtt_topic_qos_array_set(nni_mqtt_topic_qos *,
-        size_t, const char *, uint8_t, uint8_t, uint8_t, uint8_t);
+        size_t, const char *, uint32_t, uint8_t, uint8_t, uint8_t, uint8_t);
 NNG_DECL void nni_mqtt_topic_qos_array_free(nni_mqtt_topic_qos *, size_t);
 
 NNG_DECL void mqtt_close_unack_msg_cb(void *, void *);

src/supplemental/mqtt/mqtt_public.c

@@ -631,9 +631,9 @@ nng_mqtt_topic_qos_array_create(size_t n)
 */
 void
 nng_mqtt_topic_qos_array_set(nng_mqtt_topic_qos *topic_qos, size_t index,
-    const char *topic_name, uint8_t qos, uint8_t nolocal, uint8_t rap, uint8_t rh)
+    const char *topic_name, uint32_t len, uint8_t qos, uint8_t nolocal, uint8_t rap, uint8_t rh)
 {
-	nni_mqtt_topic_qos_array_set(topic_qos, index, topic_name, qos, nolocal, rap, rh);
+	nni_mqtt_topic_qos_array_set(topic_qos, index, topic_name, len, qos, nolocal, rap, rh);
 }
 
 void