[asterisk-commits] AST-2018-006: Properly handle WebSocket frames with 0 length... (asterisk[15])

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Wed Feb 21 12:13:42 CST 2018 

Kevin Harwell has submitted this change and it was merged. ( https://gerrit.asterisk.org/8362 )

Change subject: AST-2018-006: Properly handle WebSocket frames with 0 length payload.
......................................................................

AST-2018-006: Properly handle WebSocket frames with 0 length payload.

In ast_websocket_read() we were not adequately checking that the
payload_len was non-zero before passing it to ws_safe_read(). Calling
ws_safe_read with a len argument of 0 will result in a busy loop until
the underlying socket is closed.

ASTERISK-27658 #close

Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a
---
M res/res_http_websocket.c
1 file changed, 13 insertions(+), 3 deletions(-)

Approvals:
  Jenkins2: Verified
  Kevin Harwell: Looks good to me, approved; Approved for Submit



diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
index 9e5506f..aaaba7d 100644
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -495,12 +495,19 @@
  * Note during the header parsing stage we try to read in small chunks just what we need, this
  * is buffered data anyways, no expensive syscall required most of the time ...
  */
-static inline int ws_safe_read(struct ast_websocket *session, char *buf, int len, enum ast_websocket_opcode *opcode)
+static inline int ws_safe_read(struct ast_websocket *session, char *buf, size_t len, enum ast_websocket_opcode *opcode)
 {
 	ssize_t rlen;
 	int xlen = len;
 	char *rbuf = buf;
 	int sanity = 10;
+
+	ast_assert(len > 0);
+
+	if (!len) {
+		errno = EINVAL;
+		return -1;
+	}
 
 	ao2_lock(session);
 	if (!session->stream) {
@@ -615,9 +622,12 @@
 			return -1;
 		}
 
-		if (ws_safe_read(session, *payload, *payload_len, opcode)) {
-			return -1;
+		if (*payload_len) {
+			if (ws_safe_read(session, *payload, *payload_len, opcode)) {
+				return -1;
+			}
 		}
+
 		/* If a mask is present unmask the payload */
 		if (mask_present) {
 			unsigned int pos;

-- 
To view, visit https://gerrit.asterisk.org/8362
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 15
Gerrit-MessageType: merged
Gerrit-Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a
Gerrit-Change-Number: 8362
Gerrit-PatchSet: 1
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-commits/attachments/20180221/2b63997e/attachment.html>

More information about the asterisk-commits mailing list