Module: kamailio
Branch: master
Commit: 3302687e2b995ee9faab1655e6bb5e5d4a0dbc87
URL:
https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2017-12-31T10:39:16+01:00
websocket: early check for frame size to fit max buf size
- avoid decoding a large buffer and then fail
- allocate BUF_SIZE+1 for fragment buffer, coherent with other recv
buffers
---
Modified: src/modules/websocket/ws_conn.c
Modified: src/modules/websocket/ws_frame.c
---
Diff:
https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5…
Patch:
https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5…
---
diff --git a/src/modules/websocket/ws_conn.c b/src/modules/websocket/ws_conn.c
index 9fedf33f7b..786d87dc50 100644
--- a/src/modules/websocket/ws_conn.c
+++ b/src/modules/websocket/ws_conn.c
@@ -202,13 +202,13 @@ int wsconn_add(struct receive_info rcv, unsigned int sub_protocol)
LM_DBG("wsconn_add id [%d]\n", id);
/* Allocate and fill in new WebSocket connection */
- wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE);
+ wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE + 1);
if (wsc == NULL)
{
LM_ERR("allocating shared memory\n");
return -1;
}
- memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE);
+ memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE + 1);
wsc->id = id;
wsc->id_hash = id_hash;
wsc->state = WS_S_OPEN;
diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c
index 8e632892f6..5aafe064e9 100644
--- a/src/modules/websocket/ws_frame.c
+++ b/src/modules/websocket/ws_frame.c
@@ -406,7 +406,7 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
short *err_code, str *err_text)
{
unsigned int i, len = tcpinfo->len;
- int mask_start, j;
+ unsigned int mask_start, j;
char *buf = tcpinfo->buf;
LM_DBG("decoding WebSocket frame\n");
@@ -535,6 +535,13 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
*err_text = str_status_protocol_error;
return -1;
}
+ if(frame->payload_len >= BUF_SIZE) {
+ LM_WARN("message is too long for our buffer size (%d / %d)\n",
+ BUF_SIZE, frame->payload_len);
+ *err_code = 1009;
+ *err_text = str_status_message_too_big;
+ return -1;
+ }
frame->payload_data = &buf[mask_start + 4];
for (i = 0; i < frame->payload_len; i++)
{