On 23 March 2015 at 22:58, Daniel P. Berrange <[email protected]> wrote:
> +int vncws_decode_frame_payload(Buffer *input,
> + size_t *payload_remain, WsMask *payload_mask,
> + uint8_t **payload, size_t *payload_size)
> +{
> + size_t i;
> + uint32_t *payload32;
>
> - if (input->offset < *frame_size) {
> - /* frame not complete */
> + *payload = input->buffer;
> + /* If we aren't at the end of the payload, then drop
> + * off the last bytes, so we're always multiple of 4
> + * for purpose of unmasking, except at end of payload
> + */
> + if (input->offset < *payload_remain) {
> + *payload_size = input->offset - (input->offset % 4);
> + } else {
> + *payload_size = input->offset;
This can set *payload_size to a value larger than
*payload_remain, if the input buffer happens to contain
further data after the end of this packet...
> + }
> + if (*payload_size == 0) {
> return 0;
> }
> -
> - *payload = input->buffer + header_size;
> + *payload_remain -= *payload_size;
...at which point this will end up making
*payload_remain negative. Disconnection happens shortly
afterwards.
Should the line
*payload_size = input->offset;
actually read
*payload_size = *payload_remain;
?
Making that change appears to fix the novnc disconnects
that Gerd reports.
thanks
-- PMM
