git:master:3302687e: websocket: early check for frame size to fit max buf size - sr-dev

31 Dec 2017

Module: kamailio
Branch: master
Commit: 3302687e2b995ee9faab1655e6bb5e5d4a0dbc87
URL: https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2017-12-31T10:39:16+01:00
websocket: early check for frame size to fit max buf size
- avoid decoding a large buffer and then fail
- allocate BUF_SIZE+1 for fragment buffer, coherent with other recv
buffers
---
Modified: src/modules/websocket/ws_conn.c
Modified: src/modules/websocket/ws_frame.c
---
Diff:  https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d...
Patch: https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d...
---

diff --git a/src/modules/websocket/ws_conn.c b/src/modules/websocket/ws_conn.c
index 9fedf33f7b..786d87dc50 100644
--- a/src/modules/websocket/ws_conn.c
+++ b/src/modules/websocket/ws_conn.c
@@ -202,13 +202,13 @@ int wsconn_add(struct receive_info rcv, unsigned int sub_protocol)
    LM_DBG("wsconn_add id [%d]\n", id);
/* Allocate and fill in new WebSocket connection */
-	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE);
+	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE + 1);
    if (wsc == NULL)
    {
    	LM_ERR("allocating shared memory\n");
    	return -1;
    }
-	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE);
+	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE + 1);
    wsc->id = id;
    wsc->id_hash = id_hash;
    wsc->state = WS_S_OPEN;
diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c
index 8e632892f6..5aafe064e9 100644
--- a/src/modules/websocket/ws_frame.c
+++ b/src/modules/websocket/ws_frame.c
@@ -406,7 +406,7 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
                                         short *err_code, str *err_text)
 {
    unsigned int i, len = tcpinfo->len;
-	int mask_start, j;
+	unsigned int mask_start, j;
    char *buf = tcpinfo->buf;
LM_DBG("decoding WebSocket frame\n");
@@ -535,6 +535,13 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
    	*err_text = str_status_protocol_error;
    	return -1;
    }
+	if(frame->payload_len >= BUF_SIZE) {
+		LM_WARN("message is too long for our buffer size (%d / %d)\n",
+				BUF_SIZE, frame->payload_len);
+		*err_code = 1009;
+		*err_text = str_status_message_too_big;
+		return -1;
+	}
    frame->payload_data = &buf[mask_start + 4];
    for (i = 0; i < frame->payload_len; i++)
    {

    