[Asterisk-code-review] AST-2018-006: Properly handle WebSocket frames with 0 length... (asterisk[master])

Benjamin Keith Ford asteriskteam at digium.com
Wed Feb 21 10:32:03 CST 2018 

Benjamin Keith Ford has uploaded this change for review. ( https://gerrit.asterisk.org/8361


Change subject: AST-2018-006: Properly handle WebSocket frames with 0 length payload.
......................................................................

AST-2018-006: Properly handle WebSocket frames with 0 length payload.

In ast_websocket_read() we were not adequately checking that the
payload_len was non-zero before passing it to ws_safe_read(). Calling
ws_safe_read with a len argument of 0 will result in a busy loop until
the underlying socket is closed.

ASTERISK-27658 #close

Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a
---
M res/res_http_websocket.c
1 file changed, 13 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/61/8361/1

diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
index bcad1c3..19b3246 100644
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -488,12 +488,19 @@
  * Note during the header parsing stage we try to read in small chunks just what we need, this
  * is buffered data anyways, no expensive syscall required most of the time ...
  */
-static inline int ws_safe_read(struct ast_websocket *session, char *buf, int len, enum ast_websocket_opcode *opcode)
+static inline int ws_safe_read(struct ast_websocket *session, char *buf, size_t len, enum ast_websocket_opcode *opcode)
 {
 	ssize_t rlen;
 	int xlen = len;
 	char *rbuf = buf;
 	int sanity = 10;
+
+	ast_assert(len > 0);
+
+	if (!len) {
+		errno = EINVAL;
+		return -1;
+	}
 
 	ao2_lock(session);
 	if (!session->stream) {
@@ -608,9 +615,12 @@
 			return -1;
 		}
 
-		if (ws_safe_read(session, *payload, *payload_len, opcode)) {
-			return -1;
+		if (*payload_len) {
+			if (ws_safe_read(session, *payload, *payload_len, opcode)) {
+				return -1;
+			}
 		}
+
 		/* If a mask is present unmask the payload */
 		if (mask_present) {
 			unsigned int pos;

-- 
To view, visit https://gerrit.asterisk.org/8361
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a
Gerrit-Change-Number: 8361
Gerrit-PatchSet: 1
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180221/53aee147/attachment.html>

More information about the asterisk-code-review mailing list