On Mon, Sep 11, 2017 at 10:43:21AM -0700, Brandon Carpenter wrote:
> On Mon, Sep 11, 2017 at 10:37 AM, Daniel P. Berrange <berra...@redhat.com>
> wrote:
> > At the time qio_channel_websock_decode_header is run, 'encinput' is only
> > guaranteed to contain enough data to decode the header.
>
> Because the PING opcode is a control frame, this bit of code earlier in the
> function will ensure the entire frame has been read before the PING
> processing occurs:
>
> > if (ioc->encinput.offset < ioc->payload_remain) {
> > /* Wait for the entire payload before processing control
> > frames
> > * because the payload will most likely be echoed back. */
> > if (ioc->opcode & QIO_CHANNEL_WEBSOCK_CONTROL_OPCODE_MASK) {
> > return QIO_CHANNEL_ERR_BLOCK;
> > }
> > payload_len = ioc->encinput.offset - (ioc->encinput.offset %
> > 4);
The problem is in the qio_channel_websock_read_wire method we refuse
to read more than 4k into encinput. So if the ping payload is greater
than 4k this will just loop forever.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
