[sr-dev] git:master: websocket: fix checking payload_len safety check for fragmentation

Daniel-Constantin Mierla Tue, 30 Sep 2014 02:34:37 -0700

Module: sip-router
Branch: master
Commit: 6b8acf3204a8615762b0b5dcc6aac152f40b2ca0
URL:    
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6b8acf3204a8615762b0b5dcc6aac152f40b2ca0


Author: Daniel-Constantin Mierla <[email protected]>
Committer: Daniel-Constantin Mierla <[email protected]>
Date:   Tue Sep 30 11:29:18 2014 +0200

websocket: fix checking payload_len safety check for fragmentation

- a crafted websocket frame  using values spanning max unsinged int could have
  caused a failed detection of unsupported fragmentation and invalid memory 
access
- thanks to Peter Dunkley and Hugh Waite for assisting and pin-pointing
  where everything happens

---

 modules/websocket/ws_frame.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/modules/websocket/ws_frame.c b/modules/websocket/ws_frame.c
index d62a317..d3814bd 100644
--- a/modules/websocket/ws_frame.c
+++ b/modules/websocket/ws_frame.c
@@ -536,7 +536,8 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
        frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
 
        /* Decode and unmask payload */
-       if (len != frame->payload_len + mask_start + 4)
+       if ((unsigned long long)len != (unsigned long long)frame->payload_len
+                                                                               
+ mask_start + 4)
        {
                LM_WARN("message not complete frame size %u but received %u\n",
                        frame->payload_len + mask_start + 4, len);


_______________________________________________
sr-dev mailing list
[email protected]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

[sr-dev] git:master: websocket: fix checking payload_len safety check for fragmentation

Reply via email to