Browse code

Merge pull request #1413 from armenb/ws_check_bounds_before_reading_mask

websocket: check bounds before reading mask

Daniel-Constantin Mierla authored on 26/01/2018 07:50:54 • GitHub committed on 26/01/2018 07:50:54
Showing 1 changed files
... ...
@@ -470,13 +470,6 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
470 470
 	} else
471 471
 		mask_start = 2;
472 472
 
473
-	/* Decode mask */
474
-	frame->masking_key[0] = (buf[mask_start + 0] & 0xff);
475
-	frame->masking_key[1] = (buf[mask_start + 1] & 0xff);
476
-	frame->masking_key[2] = (buf[mask_start + 2] & 0xff);
477
-	frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
478
-
479
-	/* Decode and unmask payload */
480 473
 	if((unsigned long long)len
481 474
 			!= (unsigned long long)frame->payload_len + mask_start + 4) {
482 475
 		LM_WARN("message not complete frame size %u but received %u\n",
... ...
@@ -492,7 +485,15 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
492 485
 		*err_text = str_status_message_too_big;
493 486
 		return -1;
494 487
 	}
488
+	/* Decode mask */
489
+	frame->masking_key[0] = (buf[mask_start + 0] & 0xff);
490
+	frame->masking_key[1] = (buf[mask_start + 1] & 0xff);
491
+	frame->masking_key[2] = (buf[mask_start + 2] & 0xff);
492
+	frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
493
+
495 494
 	frame->payload_data = &buf[mask_start + 4];
495
+
496
+	/* Decode and unmask payload */
496 497
 	for(i = 0; i < frame->payload_len; i++) {
497 498
 		j = i % 4;
498 499
 		frame->payload_data[i] = frame->payload_data[i] ^ frame->masking_key[j];