On Mon, Sep 11, 2017 at 10:43:21AM -0700, Brandon Carpenter wrote: > On Mon, Sep 11, 2017 at 10:37 AM, Daniel P. Berrange <berra...@redhat.com> > wrote: > > At the time qio_channel_websock_decode_header is run, 'encinput' is only > > guaranteed to contain enough data to decode the header. > > Because the PING opcode is a control frame, this bit of code earlier in the > function will ensure the entire frame has been read before the PING > processing occurs: > > > if (ioc->encinput.offset < ioc->payload_remain) { > > /* Wait for the entire payload before processing control > > frames > > * because the payload will most likely be echoed back. */ > > if (ioc->opcode & QIO_CHANNEL_WEBSOCK_CONTROL_OPCODE_MASK) { > > return QIO_CHANNEL_ERR_BLOCK; > > } > > payload_len = ioc->encinput.offset - (ioc->encinput.offset % > > 4);
The problem is in the qio_channel_websock_read_wire method we refuse to read more than 4k into encinput. So if the ping payload is greater than 4k this will just loop forever. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|