[sr-dev] git:master:3302687e: websocket: early check for frame size to fit max buf size

Sun Dec 31 11:06:25 CET 2017

Module: kamailio
Branch: master
Commit: 3302687e2b995ee9faab1655e6bb5e5d4a0dbc87
URL: https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d4a0dbc87

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-12-31T10:39:16+01:00

websocket: early check for frame size to fit max buf size

- avoid decoding a large buffer and then fail
- allocate BUF_SIZE+1 for fragment buffer, coherent with other recv
buffers

---

Modified: src/modules/websocket/ws_conn.c
Modified: src/modules/websocket/ws_frame.c

---

Diff:  https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d4a0dbc87.diff
Patch: https://github.com/kamailio/kamailio/commit/3302687e2b995ee9faab1655e6bb5e5d4a0dbc87.patch

---

diff --git a/src/modules/websocket/ws_conn.c b/src/modules/websocket/ws_conn.c
index 9fedf33f7b..786d87dc50 100644
--- a/src/modules/websocket/ws_conn.c
+++ b/src/modules/websocket/ws_conn.c
@@ -202,13 +202,13 @@ int wsconn_add(struct receive_info rcv, unsigned int sub_protocol)
 	LM_DBG("wsconn_add id [%d]\n", id);
 
 	/* Allocate and fill in new WebSocket connection */
-	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE);
+	wsc = shm_malloc(sizeof(ws_connection_t) + BUF_SIZE + 1);
 	if (wsc == NULL)
 	{
 		LM_ERR("allocating shared memory\n");
 		return -1;
 	}
-	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE);
+	memset(wsc, 0, sizeof(ws_connection_t) + BUF_SIZE + 1);
 	wsc->id = id;
 	wsc->id_hash = id_hash;
 	wsc->state = WS_S_OPEN;
diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c
index 8e632892f6..5aafe064e9 100644
--- a/src/modules/websocket/ws_frame.c
+++ b/src/modules/websocket/ws_frame.c
@@ -406,7 +406,7 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
                                         short *err_code, str *err_text)
 {
 	unsigned int i, len = tcpinfo->len;
-	int mask_start, j;
+	unsigned int mask_start, j;
 	char *buf = tcpinfo->buf;
 
 	LM_DBG("decoding WebSocket frame\n");
@@ -535,6 +535,13 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
 		*err_text = str_status_protocol_error;
 		return -1;
 	}
+	if(frame->payload_len >= BUF_SIZE) {
+		LM_WARN("message is too long for our buffer size (%d / %d)\n",
+				BUF_SIZE, frame->payload_len);
+		*err_code = 1009;
+		*err_text = str_status_message_too_big;
+		return -1;
+	}
 	frame->payload_data = &buf[mask_start + 4];
 	for (i = 0; i < frame->payload_len; i++)
 	{


