blackbeard420/weechat
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

relay: fix crash when decoding a malformed websocket frame

Browse Source
This commit is contained in:
Sébastien Helleu 2021-09-04 15:55:37 +02:00
parent 75b9ba03a1
commit 97bdd51112
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog.adoc
View File

@ -50,6 +50,7 @@ Bug fixes::
* irc: remove unneeded message about Diffie-Hellman shared secret exchange during SSL connection to server (issue #857)
* irc: escape/unescape IRC message tags values (issue #1654)
* irc: set notify level to "private" for received WALLOPS
* relay: fix crash when decoding a malformed websocket frame
* script: fix move of installed script on another filesystem (issue #1667)
Documentation::

16
src/plugins/relay/relay-websocket.c
View File

@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
index_buffer = 0;
/* loop to decode all frames in message */
while (index_buffer + 2 <= buffer_length)
while (index_buffer + 1 < buffer_length)
{
opcode = buffer[index_buffer] & 15;
@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
length_frame_size = 1;
length_frame = buffer[index_buffer + 1] & 127;
index_buffer += 2;
if (index_buffer >= buffer_length)
return 0;
if ((length_frame == 126) || (length_frame == 127))
{
length_frame_size = (length_frame == 126) ? 2 : 8;
if (buffer_length < 1 + length_frame_size)
if (index_buffer + length_frame_size > buffer_length)
return 0;
length_frame = 0;
for (i = 0; i < length_frame_size; i++)
@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
index_buffer += length_frame_size;
}
if (buffer_length < 1 + length_frame_size + 4 + length_frame)
return 0;
/* read masks (4 bytes) */
if (index_buffer + 4 > buffer_length)
return 0;
int masks[4];
for (i = 0; i < 4; i++)
{
@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
*decoded_length += 1;
/* decode data using masks */
if ((length_frame > buffer_length)
|| (index_buffer + length_frame > buffer_length))
{
return 0;
}
for (i = 0; i < length_frame; i++)
{
decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];