git:master: websocket: fix checking payload_len safety check for fragmentation - sr-dev

30 Sep 2014

Module: sip-router
Branch: master
Commit: 6b8acf3204a8615762b0b5dcc6aac152f40b2ca0
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6b8acf32...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Tue Sep 30 11:29:18 2014 +0200
websocket: fix checking payload_len safety check for fragmentation
- a crafted websocket frame  using values spanning max unsinged int could have
  caused a failed detection of unsupported fragmentation and invalid memory access
- thanks to Peter Dunkley and Hugh Waite for assisting and pin-pointing
  where everything happens
---
modules/websocket/ws_frame.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/websocket/ws_frame.c b/modules/websocket/ws_frame.c
index d62a317..d3814bd 100644
--- a/modules/websocket/ws_frame.c
+++ b/modules/websocket/ws_frame.c
@@ -536,7 +536,8 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
    frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
/* Decode and unmask payload */
-	if (len != frame->payload_len + mask_start + 4)
+	if ((unsigned long long)len != (unsigned long long)frame->payload_len
+										+ mask_start + 4)
    {
    	LM_WARN("message not complete frame size %u but received %u\n",
    		frame->payload_len + mask_start + 4, len);

    