When calculating the total length of an MQTT packet, the function MQTTPacket_len() determines the number of bytes needed to encode the remaining length, then adds one for the header byte.

The problem is that the header byte is added to rlen before calculating the number of bytes required to encode the remaining length. So for some values of rlen, e.g, 127, the result of MQTTPacket_len() will be 1 byte too large.

The line rem_len += 1; /* header byte */ should be placed at the end of the function, after the calc for the length of the remaining length field.

Also, the case:
else if (rem_len < 2097151) rem_len += 3;

is incorrect, as the value 2097151 can be encoded in three bytes (0xFF, 0xFF, 0x7F) but this function will say it requires four.

I also find this problem，but why they do not fix it?