[sr-dev] git:master:4fabe253: websocket: check bounds before reading mask

Thu, 25 Jan 2018 23:52:52 -0800 

Module: kamailio
Branch: master
Commit: 4fabe253a1eb0f9b494521cfa98365523a93adcf
URL: 
https://github.com/kamailio/kamailio/commit/4fabe253a1eb0f9b494521cfa98365523a93adcf

Author: Armen Babikyan <ar...@firespotter.com>
Committer: Armen Babikyan <ar...@firespotter.com>
Date: 2018-01-25T17:43:33-08:00

websocket: check bounds before reading mask

---

Modified: src/modules/websocket/ws_frame.c

---

Diff:  
https://github.com/kamailio/kamailio/commit/4fabe253a1eb0f9b494521cfa98365523a93adcf.diff
Patch: 
https://github.com/kamailio/kamailio/commit/4fabe253a1eb0f9b494521cfa98365523a93adcf.patch

---

diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c
index 9bc3268601..32a1f4bf6a 100644
--- a/src/modules/websocket/ws_frame.c
+++ b/src/modules/websocket/ws_frame.c
@@ -470,13 +470,6 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
        } else
                mask_start = 2;
 
-       /* Decode mask */
-       frame->masking_key[0] = (buf[mask_start + 0] & 0xff);
-       frame->masking_key[1] = (buf[mask_start + 1] & 0xff);
-       frame->masking_key[2] = (buf[mask_start + 2] & 0xff);
-       frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
-
-       /* Decode and unmask payload */
        if((unsigned long long)len
                        != (unsigned long long)frame->payload_len + mask_start 
+ 4) {
                LM_WARN("message not complete frame size %u but received %u\n",
@@ -492,7 +485,15 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame,
                *err_text = str_status_message_too_big;
                return -1;
        }
+       /* Decode mask */
+       frame->masking_key[0] = (buf[mask_start + 0] & 0xff);
+       frame->masking_key[1] = (buf[mask_start + 1] & 0xff);
+       frame->masking_key[2] = (buf[mask_start + 2] & 0xff);
+       frame->masking_key[3] = (buf[mask_start + 3] & 0xff);
+
        frame->payload_data = &buf[mask_start + 4];
+
+       /* Decode and unmask payload */
        for(i = 0; i < frame->payload_len; i++) {
                j = i % 4;
                frame->payload_data[i] = frame->payload_data[i] ^ 
frame->masking_key[j];


_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

Reply via email to