Module: kamailio Branch: master Commit: 038c3f16d9a8371f00b1b8e34d37d6509465a471 URL: https://github.com/kamailio/kamailio/commit/038c3f16d9a8371f00b1b8e34d37d65… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: GitHub &lt;noreply(a)github.com&gt; Date: 2018-01-26T08:50:54+01:00 Merge pull request #1413 from armenb/ws_check_bounds_before_reading_mask websocket: check bounds before reading mask --- Modified: src/modules/websocket/ws_frame.c --- Diff: https://github.com/kamailio/kamailio/commit/038c3f16d9a8371f00b1b8e34d37d65… Patch: https://github.com/kamailio/kamailio/commit/038c3f16d9a8371f00b1b8e34d37d65… --- diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c index 2739ecbc11..2d7ca8ec5a 100644 --- a/src/modules/websocket/ws_frame.c +++ b/src/modules/websocket/ws_frame.c @@ -470,13 +470,6 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame, } else mask_start = 2; - /* Decode mask */ - frame->masking_key[0] = (buf[mask_start + 0] & 0xff); - frame->masking_key[1] = (buf[mask_start + 1] & 0xff); - frame->masking_key[2] = (buf[mask_start + 2] & 0xff); - frame->masking_key[3] = (buf[mask_start + 3] & 0xff); - - /* Decode and unmask payload */ if((unsigned long long)len != (unsigned long long)frame->payload_len + mask_start + 4) { LM_WARN("message not complete frame size %u but received %u\n", @@ -492,7 +485,15 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame, *err_text = str_status_message_too_big; return -1; } + /* Decode mask */ + frame->masking_key[0] = (buf[mask_start + 0] & 0xff); + frame->masking_key[1] = (buf[mask_start + 1] & 0xff); + frame->masking_key[2] = (buf[mask_start + 2] & 0xff); + frame->masking_key[3] = (buf[mask_start + 3] & 0xff); + frame->payload_data = &buf[mask_start + 4]; + + /* Decode and unmask payload */ for(i = 0; i < frame->payload_len; i++) { j = i % 4; frame->payload_data[i] = frame->payload_data[i] ^ frame->masking_key[j];