relay: fix crash when decoding a malformed websocket frame (CVE-2021-40516)

2021-09-07 19:05:06 +02:00 · 2021-09-07 19:05:06 +02:00 · 24f4f8fffa
commit 24f4f8fffa
parent 6f352deefe
2 changed files with 18 additions and 5 deletions
--- a/ChangeLog.adoc
+++ b/ChangeLog.adoc
@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 (file _ReleaseNotes.adoc_ in sources).


+[[v2.3.1]]
+== Version 2.3.1 (under dev)
+
+Bug fixes::
+
+  * relay: fix crash when decoding a malformed websocket frame (CVE-2021-40516)
+
 [[v2.3]]
 == Version 2.3 (2018-10-21)

--- a/src/plugins/relay/relay-websocket.c
+++ b/src/plugins/relay/relay-websocket.c
@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
    index_buffer = 0;

    /* loop to decode all frames in message */
-    while (index_buffer + 2 <= buffer_length)
+    while (index_buffer + 1 < buffer_length)
    {
        opcode = buffer[index_buffer] & 15;

@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        length_frame_size = 1;
        length_frame = buffer[index_buffer + 1] & 127;
        index_buffer += 2;
+        if (index_buffer >= buffer_length)
+            return 0;
        if ((length_frame == 126) || (length_frame == 127))
        {
            length_frame_size = (length_frame == 126) ? 2 : 8;
-            if (buffer_length < 1 + length_frame_size)
+            if (index_buffer + length_frame_size > buffer_length)
                return 0;
            length_frame = 0;
            for (i = 0; i < length_frame_size; i++)
@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
            index_buffer += length_frame_size;
        }

-        if (buffer_length < 1 + length_frame_size + 4 + length_frame)
-            return 0;
-
        /* read masks (4 bytes) */
+        if (index_buffer + 4 > buffer_length)
+            return 0;
        int masks[4];
        for (i = 0; i < 4; i++)
        {
@ -323,6 +324,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        *decoded_length += 1;

        /* decode data using masks */
+        if ((length_frame > buffer_length)
+            || (index_buffer + length_frame > buffer_length))
+        {
+            return 0;
+        }
        for (i = 0; i < length_frame; i++)
        {
            decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];