Skip to content

Commit

Permalink
relay: fix crash when decoding a malformed websocket frame
Browse files Browse the repository at this point in the history
  • Loading branch information
@flashcode
flashcode committed Sep 4, 2021
1 parent 70c09f1 commit 8b1331f
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 7 deletions.
7 changes: 7 additions & 0 deletions ChangeLog.adoc
View file
Expand Up @@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
(file _ReleaseNotes.adoc_ in sources).


[[v3.2.1]]
== Version 3.2.1 (under dev)

Bug fixes::

* relay: fix crash when decoding a malformed websocket frame

[[v3.2]]
== Version 3.2 (2021-06-13)

Expand Down
16 changes: 11 additions & 5 deletions src/plugins/relay/relay-websocket.c
View file
Expand Up @@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
index_buffer = 0;

/* loop to decode all frames in message */
while (index_buffer + 2 <= buffer_length)
while (index_buffer + 1 < buffer_length)
{
opcode = buffer[index_buffer] & 15;

Expand All @@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
length_frame_size = 1;
length_frame = buffer[index_buffer + 1] & 127;
index_buffer += 2;
if (index_buffer >= buffer_length)
return 0;
if ((length_frame == 126) || (length_frame == 127))
{
length_frame_size = (length_frame == 126) ? 2 : 8;
if (buffer_length < 1 + length_frame_size)
if (index_buffer + length_frame_size > buffer_length)
return 0;
length_frame = 0;
for (i = 0; i < length_frame_size; i++)
Expand All @@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
index_buffer += length_frame_size;
}

if (buffer_length < 1 + length_frame_size + 4 + length_frame)
return 0;

/* read masks (4 bytes) */
if (index_buffer + 4 > buffer_length)
return 0;
int masks[4];
for (i = 0; i < 4; i++)
{
Expand All @@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
*decoded_length += 1;

/* decode data using masks */
if ((length_frame > buffer_length)
|| (index_buffer + length_frame > buffer_length))
{
return 0;
}
for (i = 0; i < length_frame; i++)
{
decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];
Expand Down
4 changes: 2 additions & 2 deletions version.sh
View file
Expand Up @@ -33,8 +33,8 @@
#

WEECHAT_STABLE=3.2
WEECHAT_DEVEL=3.2
WEECHAT_DEVEL_FULL=3.2
WEECHAT_DEVEL=3.2.1
WEECHAT_DEVEL_FULL=3.2.1-dev

if [ $# -lt 1 ]; then
echo >&2 "Syntax: $0 stable|devel|devel-full|devel-major|devel-minor|devel-patch"
Expand Down

0 comments on commit 8b1331f

Please sign in to comment.