Browse code

websocket: early check for frame size to fit max buf size

- avoid decoding a large buffer and then fail
- allocate BUF_SIZE+1 for fragment buffer, coherent with other recv
buffers

(cherry picked from commit 3302687e2b995ee9faab1655e6bb5e5d4a0dbc87)
(cherry picked from commit a6ad018a1d7d796272bc0cb07f7540c711990e37)
(cherry picked from commit 4491a7bef8c7097ecec9e251ae1944b43ee3570c)

Daniel-Constantin Mierla authored on 31/12/2017 09:39:16
Showing 2 changed files
... ...
@@ -201,13 +201,13 @@ int wsconn_add(struct receive_info rcv, unsigned int sub_protocol)
201 201
 	LM_DBG("wsconn_add id [%d]\n", id);
202 202
 
203 203
 	/* Allocate and fill in new WebSocket connection */
204
-	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE);
204
+	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE + 1);
205 205
 	if (wsc == NULL)
206 206
 	{
207 207
 		LM_ERR("allocating shared memory\n");
208 208
 		return -1;
209 209
 	}
210
-	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE);
210
+	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE + 1);
211 211
 	wsc->id = id;
212 212
 	wsc->id_hash = id_hash;
213 213
 	wsc->state = WS_S_OPEN;
... ...
@@ -411,7 +411,7 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
411 411
                                         short *err_code, str *err_text)
412 412
 {
413 413
 	unsigned int i, len = tcpinfo->len;
414
-	int mask_start, j;
414
+	unsigned int mask_start, j;
415 415
 	char *buf = tcpinfo->buf;
416 416
 
417 417
 	LM_DBG("decoding WebSocket frame\n");
... ...
@@ -540,6 +540,13 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
540 540
 		*err_text = str_status_protocol_error;
541 541
 		return -1;
542 542
 	}
543
+	if(frame->payload_len >= BUF_SIZE) {
544
+		LM_WARN("message is too long for our buffer size (%d / %d)\n",
545
+				BUF_SIZE, frame->payload_len);
546
+		*err_code = 1009;
547
+		*err_text = str_status_message_too_big;
548
+		return -1;
549
+	}
543 550
 	frame->payload_data = &buf[mask_start + 4];
544 551
 	for (i = 0; i < frame->payload_len; i++)
545 552
 	{