<p>Benjamin Keith Ford has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/8361">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-006: Properly handle WebSocket frames with 0 length payload.<br><br>In ast_websocket_read() we were not adequately checking that the<br>payload_len was non-zero before passing it to ws_safe_read(). Calling<br>ws_safe_read with a len argument of 0 will result in a busy loop until<br>the underlying socket is closed.<br><br>ASTERISK-27658 #close<br><br>Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a<br>---<br>M res/res_http_websocket.c<br>1 file changed, 13 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/61/8361/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c<br>index bcad1c3..19b3246 100644<br>--- a/res/res_http_websocket.c<br>+++ b/res/res_http_websocket.c<br>@@ -488,12 +488,19 @@<br> * Note during the header parsing stage we try to read in small chunks just what we need, this<br> * is buffered data anyways, no expensive syscall required most of the time ...<br> */<br>-static inline int ws_safe_read(struct ast_websocket *session, char *buf, int len, enum ast_websocket_opcode *opcode)<br>+static inline int ws_safe_read(struct ast_websocket *session, char *buf, size_t len, enum ast_websocket_opcode *opcode)<br> {<br> ssize_t rlen;<br> int xlen = len;<br> char *rbuf = buf;<br> int sanity = 10;<br>+<br>+ ast_assert(len > 0);<br>+<br>+ if (!len) {<br>+ errno = EINVAL;<br>+ return -1;<br>+ }<br> <br> ao2_lock(session);<br> if (!session->stream) {<br>@@ -608,9 +615,12 @@<br> return -1;<br> }<br> <br>- if (ws_safe_read(session, *payload, *payload_len, opcode)) {<br>- return -1;<br>+ if (*payload_len) {<br>+ if (ws_safe_read(session, *payload, *payload_len, opcode)) {<br>+ return -1;<br>+ }<br> }<br>+<br> /* If a mask is present unmask the payload */<br> if (mask_present) {<br> unsigned int pos;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/8361">change 8361</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/8361"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a </div>
<div style="display:none"> Gerrit-Change-Number: 8361 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Sean Bright <sean.bright@gmail.com> </div>