core: add CVE id in ChangeLog

Version 3.2.1
relay: fix crash when decoding a malformed websocket frame
2021-09-05 20:53:31 +02:00 · 2021-09-04 13:16:44 +02:00 · 2021-09-04 11:39:22 +02:00
5 changed files with 29 additions and 9 deletions
--- a/ChangeLog.adoc
+++ b/ChangeLog.adoc
@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 (file _ReleaseNotes.adoc_ in sources).
 [[v3.2.1]]
 == Version 3.2.1 (2021-09-04)
 Bug fixes::
  * relay: fix crash when decoding a malformed websocket frame (CVE-2021-40516)
 [[v3.2]]
 == Version 3.2 (2021-06-13)
--- a/ReleaseNotes.adoc
+++ b/ReleaseNotes.adoc
@ -17,6 +17,11 @@ https://weechat.org/files/changelog/ChangeLog-devel.html[ChangeLog]
 (file _ChangeLog.adoc_ in sources).
 [[v3.2.1]]
 == Version 3.2.1 (2021-09-04)
 Bug fix and maintenance release.
 [[v3.2]]
 == Version 3.2 (2021-06-13)
--- a/src/plugins/relay/relay-websocket.c
+++ b/src/plugins/relay/relay-websocket.c
@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
    index_buffer = 0;
    /* loop to decode all frames in message */
-    while (index_buffer + 2 <= buffer_length)
+    while (index_buffer + 1 < buffer_length)
    {
        opcode = buffer[index_buffer] & 15;
@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        length_frame_size = 1;
        length_frame = buffer[index_buffer + 1] & 127;
        index_buffer += 2;
        if (index_buffer >= buffer_length)
            return 0;
        if ((length_frame == 126) || (length_frame == 127))
        {
            length_frame_size = (length_frame == 126) ? 2 : 8;
-            if (buffer_length < 1 + length_frame_size)
+            if (index_buffer + length_frame_size > buffer_length)
                return 0;
            length_frame = 0;
            for (i = 0; i < length_frame_size; i++)
@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
            index_buffer += length_frame_size;
        }
        if (buffer_length < 1 + length_frame_size + 4 + length_frame)
            return 0;
        /* read masks (4 bytes) */
        if (index_buffer + 4 > buffer_length)
            return 0;
        int masks[4];
        for (i = 0; i < 4; i++)
        {
@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        *decoded_length += 1;
        /* decode data using masks */
        if ((length_frame > buffer_length)
            || (index_buffer + length_frame > buffer_length))
        {
            return 0;
        }
        for (i = 0; i < length_frame; i++)
        {
            decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];
--- a/version.sh
+++ b/version.sh
@ -32,9 +32,9 @@
 #     devel-patch  the patch version of devel (e.g. 2 for version 1.4.2)
 #
-WEECHAT_STABLE=3.2
+WEECHAT_STABLE=3.2.1
-WEECHAT_DEVEL=3.2
+WEECHAT_DEVEL=3.2.1
-WEECHAT_DEVEL_FULL=3.2
+WEECHAT_DEVEL_FULL=3.2.1
 if [ $# -lt 1 ]; then
    echo >&2 "Syntax: $0 stable|devel|devel-full|devel-major|devel-minor|devel-patch"
--- a/weechat.spec
+++ b/weechat.spec
@ -23,7 +23,7 @@
 #
 %define name weechat
-%define version 3.2
+%define version 3.2.1
 %define release 1
 Name:      %{name}
@ -82,6 +82,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_prefix}/share/icons/hicolor/512x512/apps/weechat.png
 %changelog
 * Sat Sep 04 2021 Sébastien Helleu <flashcode@flashtux.org> 3.2.1-1
 - Released version 3.2.1
 * Sun Jun 13 2021 Sébastien Helleu <flashcode@flashtux.org> 3.2-1
 - Released version 3.2
 * Sun Mar 07 2021 Sébastien Helleu <flashcode@flashtux.org> 3.1-1
Author	SHA1	Message	Date
Sébastien Helleu	4dfc137191	core: add CVE id in ChangeLog	2021-09-05 20:53:31 +02:00
Sébastien Helleu	3e180a3c90	Version 3.2.1	2021-09-04 13:16:44 +02:00
Sébastien Helleu	8b1331f98d	relay: fix crash when decoding a malformed websocket frame	2021-09-04 11:39:22 +02:00