[sr-dev] git:master: websocket: fix checking payload_len safety check for fragmentation
Daniel-Constantin Mierla
miconda at gmail.com
Tue Sep 30 11:33:30 CEST 2014
Module: sip-router
Branch: master
Commit: 6b8acf3204a8615762b0b5dcc6aac152f40b2ca0
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6b8acf3204a8615762b0b5dcc6aac152f40b2ca0
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: Tue Sep 30 11:29:18 2014 +0200
websocket: fix checking payload_len safety check for fragmentation
- a crafted websocket frame using values spanning max unsinged int could have
caused a failed detection of unsupported fragmentation and invalid memory access
- thanks to Peter Dunkley and Hugh Waite for assisting and pin-pointing
where everything happens
---
modules/websocket/ws_frame.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/modules/websocket/ws_frame.c b/modules/websocket/ws_frame.c
index d62a317..d3814bd 100644
--- a/modules/websocket/ws_frame.c
+++ b/modules/websocket/ws_frame.c
@@ -536,7 +536,8 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
/* Decode and unmask payload */
- if (len != frame->payload_len + mask_start + 4)
+ if ((unsigned long long)len != (unsigned long long)frame->payload_len
+ + mask_start + 4)
{
LM_WARN("message not complete frame size %u but received %u\n",
frame->payload_len + mask_start + 4, len);
More information about the sr-dev
mailing list