[svn-commits] dlee: trunk r391561 - in /trunk: ./ res/res_http_websocket.c

SVN commits to the Digium repositories svn-commits at lists.digium.com
Wed Jun 12 16:08:41 CDT 2013 

Author: dlee
Date: Wed Jun 12 16:08:40 2013
New Revision: 391561

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=391561
Log:
Fix segfault for certain invalid WebSocket input.

The WebSocket code would allocate, on the stack, a string large enough
to hold a key provided by the client, and the WEBSOCKET_GUID. If the key
is NULL, this causes a segfault. If the key is too large, it could
overflow the stack.

This patch checks the key for NULL and checks the length of the key to
avoid stack smashing nastiness.

(closes issue ASTERISK-21825)
Reported by: Alfred Farrugia
Tested by: Alfred Farrugia, David M. Lee
Patches:
    issueA21825_check_if_key_is_sent.patch uploaded by Walter Doekes (license 5674)
........

Merged revisions 391560 from http://svn.asterisk.org/svn/asterisk/branches/11

Modified:
    trunk/   (props changed)
    trunk/res/res_http_websocket.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-11-merged' - no diff available.

Modified: trunk/res/res_http_websocket.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_http_websocket.c?view=diff&rev=391561&r1=391560&r2=391561
==============================================================================
--- trunk/res/res_http_websocket.c (original)
+++ trunk/res/res_http_websocket.c Wed Jun 12 16:08:40 2013
@@ -577,8 +577,17 @@
 		/* Version 7 defined in specification http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-07 */
 		/* Version 8 defined in specification http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-10 */
 		/* Version 13 defined in specification http://tools.ietf.org/html/rfc6455 */
-		char combined[strlen(key) + strlen(WEBSOCKET_GUID) + 1], base64[64];
+		char *combined, base64[64];
+		unsigned combined_length;
 		uint8_t sha[20];
+
+		combined_length = (key ? strlen(key) : 0) + strlen(WEBSOCKET_GUID) + 1;
+		if (!key || combined_length > 8192) { /* no stack overflows please */
+			fputs("HTTP/1.1 400 Bad Request\r\n"
+			      "Sec-WebSocket-Version: 7, 8, 13\r\n\r\n", ser->f);
+			ao2_ref(protocol_handler, -1);
+			return 0;
+		}
 
 		if (!(session = ao2_alloc(sizeof(*session), session_destroy_fn))) {
 			ast_log(LOG_WARNING, "WebSocket connection from '%s' could not be accepted\n",
@@ -589,7 +598,8 @@
 			return 0;
 		}
 
-		snprintf(combined, sizeof(combined), "%s%s", key, WEBSOCKET_GUID);
+		combined = ast_alloca(combined_length);
+		snprintf(combined, combined_length, "%s%s", key, WEBSOCKET_GUID);
 		ast_sha1_hash_uint(sha, combined);
 		ast_base64encode(base64, (const unsigned char*)sha, 20, sizeof(base64));

More information about the svn-commits mailing list