lib/parsers.c

   1 /*
   2  * libwebsockets - small server side websockets and web server implementation
   3  *
   4  * Copyright (C) 2010-2013 Andy Green <andy@warmcat.com>
   5  *
   6  *  This library is free software; you can redistribute it and/or
   7  *  modify it under the terms of the GNU Lesser General Public
   8  *  License as published by the Free Software Foundation:
   9  *  version 2.1 of the License.
  10  *
  11  *  This library is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  *  Lesser General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU Lesser General Public
  17  *  License along with this library; if not, write to the Free Software
  18  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  19  *  MA  02110-1301  USA
  20  */
  21
  22 #include "private-libwebsockets.h"
  23
  24 unsigned char lextable[] = {
  25         #include "lextable.h"
  26 };
  27
  28 #define FAIL_CHAR 0x08
  29
  30 int lextable_decode(int pos, char c)
  31 {
  32         c = tolower(c);
  33
  34         while (1) {
  35                 if (lextable[pos] & (1 << 7)) { /* 1-byte, fail on mismatch */
  36                         if ((lextable[pos] & 0x7f) != c)
  37                                 return -1;
  38                         /* fall thru */
  39                         pos++;
  40                         if (lextable[pos] == FAIL_CHAR)
  41                                 return -1;
  42                         return pos;
  43                 }
  44
  45                 if (lextable[pos] == FAIL_CHAR)
  46                         return -1;
  47
  48                 /* b7 = 0, end or 3-byte */
  49                 if (lextable[pos] < FAIL_CHAR) /* terminal marker */
  50                         return pos;
  51
  52                 if (lextable[pos] == c) /* goto */
  53                         return pos + (lextable[pos + 1]) +
  54                                                 (lextable[pos + 2] << 8);
  55                 /* fall thru goto */
  56                 pos += 3;
  57                 /* continue */
  58         }
  59 }
  60
  61 int lws_allocate_header_table(struct lws *wsi)
  62 {
  63         /* Be sure to free any existing header data to avoid mem leak: */
  64         lws_free_header_table(wsi);
  65         wsi->u.hdr.ah = lws_malloc(sizeof(*wsi->u.hdr.ah));
  66         if (wsi->u.hdr.ah == NULL) {
  67                 lwsl_err("Out of memory\n");
  68                 return -1;
  69         }
  70         memset(wsi->u.hdr.ah->frag_index, 0, sizeof(wsi->u.hdr.ah->frag_index));
  71         wsi->u.hdr.ah->nfrag = 0;
  72         wsi->u.hdr.ah->pos = 0;
  73
  74         return 0;
  75 }
  76
  77 int lws_free_header_table(struct lws *wsi)
  78 {
  79         lws_free_set_NULL(wsi->u.hdr.ah);
  80         wsi->u.hdr.ah = NULL;
  81         return 0;
  82 };
  83
  84 LWS_VISIBLE int lws_hdr_total_length(struct lws *wsi, enum lws_token_indexes h)
  85 {
  86         int n;
  87         int len = 0;
  88
  89         n = wsi->u.hdr.ah->frag_index[h];
  90         if (!n)
  91                 return 0;
  92         do {
  93                 len += wsi->u.hdr.ah->frags[n].len;
  94                 n = wsi->u.hdr.ah->frags[n].nfrag;
  95         } while (n);
  96
  97         return len;
  98 }
  99
 100 LWS_VISIBLE int lws_hdr_copy_fragment(struct lws *wsi, char *dst, int len,
 101                                       enum lws_token_indexes h, int frag_idx)
 102 {
 103         int n = 0;
 104         int f = wsi->u.hdr.ah->frag_index[h];
 105
 106         while (n < frag_idx) {
 107                 f = wsi->u.hdr.ah->frags[f].nfrag;
 108                 if (!f)
 109                         return -1;
 110                 n++;
 111         }
 112
 113         if (wsi->u.hdr.ah->frags[f].len >= (len - 1))
 114                 return -1;
 115
 116         memcpy(dst, &wsi->u.hdr.ah->data[wsi->u.hdr.ah->frags[f].offset],
 117                wsi->u.hdr.ah->frags[f].len);
 118         dst[wsi->u.hdr.ah->frags[f].len] = '\0';
 119
 120         return wsi->u.hdr.ah->frags[f].len;
 121 }
 122
 123 LWS_VISIBLE int lws_hdr_copy(struct lws *wsi, char *dst, int len,
 124                              enum lws_token_indexes h)
 125 {
 126         int toklen = lws_hdr_total_length(wsi, h);
 127         int n;
 128
 129         if (toklen >= len)
 130                 return -1;
 131
 132         n = wsi->u.hdr.ah->frag_index[h];
 133         if (!n)
 134                 return 0;
 135
 136         do {
 137                 strcpy(dst, &wsi->u.hdr.ah->data[wsi->u.hdr.ah->frags[n].offset]);
 138                 dst += wsi->u.hdr.ah->frags[n].len;
 139                 n = wsi->u.hdr.ah->frags[n].nfrag;
 140         } while (n);
 141
 142         return toklen;
 143 }
 144
 145 char *lws_hdr_simple_ptr(struct lws *wsi, enum lws_token_indexes h)
 146 {
 147         int n;
 148
 149         n = wsi->u.hdr.ah->frag_index[h];
 150         if (!n)
 151                 return NULL;
 152
 153         return &wsi->u.hdr.ah->data[wsi->u.hdr.ah->frags[n].offset];
 154 }
 155
 156 int lws_hdr_simple_create(struct lws *wsi, enum lws_token_indexes h,
 157                           const char *s)
 158 {
 159         wsi->u.hdr.ah->nfrag++;
 160         if (wsi->u.hdr.ah->nfrag == ARRAY_SIZE(wsi->u.hdr.ah->frags)) {
 161                 lwsl_warn("More hdr frags than we can deal with, dropping\n");
 162                 return -1;
 163         }
 164
 165         wsi->u.hdr.ah->frag_index[h] = wsi->u.hdr.ah->nfrag;
 166
 167         wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].offset = wsi->u.hdr.ah->pos;
 168         wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].len = 0;
 169         wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].nfrag = 0;
 170
 171         do {
 172                 if (wsi->u.hdr.ah->pos == sizeof(wsi->u.hdr.ah->data)) {
 173                         lwsl_err("Ran out of header data space\n");
 174                         return -1;
 175                 }
 176                 wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = *s;
 177                 if (*s)
 178                         wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].len++;
 179         } while (*s++);
 180
 181         return 0;
 182 }
 183
 184 static signed char char_to_hex(const char c)
 185 {
 186         if (c >= '0' && c <= '9')
 187                 return c - '0';
 188
 189         if (c >= 'a' && c <= 'f')
 190                 return c - 'a' + 10;
 191
 192         if (c >= 'A' && c <= 'F')
 193                 return c - 'A' + 10;
 194
 195         return -1;
 196 }
 197
 198 static int issue_char(struct lws *wsi, unsigned char c)
 199 {
 200         unsigned short frag_len;
 201
 202         if (wsi->u.hdr.ah->pos == sizeof(wsi->u.hdr.ah->data)) {
 203                 lwsl_warn("excessive header content\n");
 204                 return -1;
 205         }
 206
 207         frag_len = wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].len;
 208         /*
 209          * If we haven't hit the token limit, just copy the character into
 210          * the header
 211          */
 212         if (frag_len < wsi->u.hdr.current_token_limit) {
 213                 wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = c;
 214                 if (c)
 215                         wsi->u.hdr.ah->frags[wsi->u.hdr.ah->nfrag].len++;
 216                 return 0;
 217         }
 218
 219         /* Insert a null character when we *hit* the limit: */
 220         if (frag_len == wsi->u.hdr.current_token_limit) {
 221                 wsi->u.hdr.ah->data[wsi->u.hdr.ah->pos++] = '\0';
 222                 lwsl_warn("header %i exceeds limit\n",
 223                           wsi->u.hdr.parser_state);
 224         }
 225
 226         return 1;
 227 }
 228
 229 int lws_parse(struct lws *wsi, unsigned char c)
 230 {
 231         static const unsigned char methods[] = {
 232                 WSI_TOKEN_GET_URI,
 233                 WSI_TOKEN_POST_URI,
 234                 WSI_TOKEN_OPTIONS_URI,
 235                 WSI_TOKEN_PUT_URI,
 236                 WSI_TOKEN_PATCH_URI,
 237                 WSI_TOKEN_DELETE_URI,
 238         };
 239         struct allocated_headers *ah = wsi->u.hdr.ah;
 240         struct lws_context *context = wsi->context;
 241         unsigned int n, m, enc = 0;
 242
 243         switch (wsi->u.hdr.parser_state) {
 244         default:
 245
 246                 lwsl_parser("WSI_TOK_(%d) '%c'\n", wsi->u.hdr.parser_state, c);
 247
 248                 /* collect into malloc'd buffers */
 249                 /* optional initial space swallow */
 250                 if (!ah->frags[ah->frag_index[
 251                                       wsi->u.hdr.parser_state]].len && c == ' ')
 252                         break;
 253
 254                 for (m = 0; m < ARRAY_SIZE(methods); m++)
 255                         if (wsi->u.hdr.parser_state == methods[m])
 256                                 break;
 257                 if (m == ARRAY_SIZE(methods))
 258                         /* it was not any of the methods */
 259                         goto check_eol;
 260
 261                 /* special URI processing... end at space */
 262
 263                 if (c == ' ') {
 264                         /* enforce starting with / */
 265                         if (!ah->frags[ah->nfrag].len)
 266                                 if (issue_char(wsi, '/') < 0)
 267                                         return -1;
 268
 269                         /* begin parsing HTTP version: */
 270                         if (issue_char(wsi, '\0') < 0)
 271                                 return -1;
 272                         wsi->u.hdr.parser_state = WSI_TOKEN_HTTP;
 273                         goto start_fragment;
 274                 }
 275
 276                 /* special URI processing... convert %xx */
 277
 278                 switch (wsi->u.hdr.ues) {
 279                 case URIES_IDLE:
 280                         if (c == '%') {
 281                                 wsi->u.hdr.ues = URIES_SEEN_PERCENT;
 282                                 goto swallow;
 283                         }
 284                         break;
 285                 case URIES_SEEN_PERCENT:
 286                         if (char_to_hex(c) < 0) {
 287                                 /* regurgitate */
 288                                 if (issue_char(wsi, '%') < 0)
 289                                         return -1;
 290                                 wsi->u.hdr.ues = URIES_IDLE;
 291                                 /* continue on to assess c */
 292                                 break;
 293                         }
 294                         wsi->u.hdr.esc_stash = c;
 295                         wsi->u.hdr.ues = URIES_SEEN_PERCENT_H1;
 296                         goto swallow;
 297
 298                 case URIES_SEEN_PERCENT_H1:
 299                         if (char_to_hex(c) < 0) {
 300                                 /* regurgitate */
 301                                 issue_char(wsi, '%');
 302                                 wsi->u.hdr.ues = URIES_IDLE;
 303                                 /* regurgitate + assess */
 304                                 if (lws_parse(wsi, wsi->u.hdr.esc_stash) < 0)
 305                                         return -1;
 306                                 /* continue on to assess c */
 307                                 break;
 308                         }
 309                         c = (char_to_hex(wsi->u.hdr.esc_stash) << 4) |
 310                                         char_to_hex(c);
 311                         enc = 1;
 312                         wsi->u.hdr.ues = URIES_IDLE;
 313                         break;
 314                 }
 315
 316                 /*
 317                  * special URI processing...
 318                  *  convert /.. or /... or /../ etc to /
 319                  *  convert /./ to /
 320                  *  convert // or /// etc to /
 321                  *  leave /.dir or whatever alone
 322                  */
 323
 324                 switch (wsi->u.hdr.ups) {
 325                 case URIPS_IDLE:
 326                         /* genuine delimiter */
 327                         if ((c == '&' || c == ';') && !enc) {
 328                                 issue_char(wsi, c);
 329                                 /* swallow the terminator */
 330                                 ah->frags[ah->nfrag].len--;
 331                                 /* link to next fragment */
 332                                 ah->frags[ah->nfrag].nfrag = ah->nfrag + 1;
 333                                 ah->nfrag++;
 334                                 if (ah->nfrag >= ARRAY_SIZE(ah->frags))
 335                                         goto excessive;
 336                                 /* start next fragment after the & */
 337                                 wsi->u.hdr.post_literal_equal = 0;
 338                                 ah->frags[ah->nfrag].offset = ah->pos;
 339                                 ah->frags[ah->nfrag].len = 0;
 340                                 ah->frags[ah->nfrag].nfrag = 0;
 341                                 goto swallow;
 342                         }
 343                         /* uriencoded = in the name part, disallow */
 344                         if (c == '=' && enc && !wsi->u.hdr.post_literal_equal)
 345                                 c = '_';
 346
 347                         /* after the real =, we don't care how many = */
 348                         if (c == '=' && !enc)
 349                                 wsi->u.hdr.post_literal_equal = 1;
 350
 351                         /* + to space */
 352                         if (c == '+' && !enc)
 353                                 c = ' ';
 354                         /* issue the first / always */
 355                         if (c == '/' && !ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS])
 356                                 wsi->u.hdr.ups = URIPS_SEEN_SLASH;
 357                         break;
 358                 case URIPS_SEEN_SLASH:
 359                         /* swallow subsequent slashes */
 360                         if (c == '/')
 361                                 goto swallow;
 362                         /* track and swallow the first . after / */
 363                         if (c == '.') {
 364                                 wsi->u.hdr.ups = URIPS_SEEN_SLASH_DOT;
 365                                 goto swallow;
 366                         }
 367                         wsi->u.hdr.ups = URIPS_IDLE;
 368                         break;
 369                 case URIPS_SEEN_SLASH_DOT:
 370                         /* swallow second . */
 371                         if (c == '.') {
 372                                 /*
 373                                  * back up one dir level if possible
 374                                  * safe against header fragmentation because
 375                                  * the method URI can only be in 1 fragment
 376                                  */
 377                                 if (ah->frags[ah->nfrag].len > 2) {
 378                                         ah->pos--;
 379                                         ah->frags[ah->nfrag].len--;
 380                                         do {
 381                                                 ah->pos--;
 382                                                 ah->frags[ah->nfrag].len--;
 383                                         } while (ah->frags[ah->nfrag].len > 1 &&
 384                                                  ah->data[ah->pos] != '/');
 385                                 }
 386                                 wsi->u.hdr.ups = URIPS_SEEN_SLASH_DOT_DOT;
 387                                 goto swallow;
 388                         }
 389                         /* change /./ to / */
 390                         if (c == '/') {
 391                                 wsi->u.hdr.ups = URIPS_SEEN_SLASH;
 392                                 goto swallow;
 393                         }
 394                         /* it was like /.dir ... regurgitate the . */
 395                         wsi->u.hdr.ups = URIPS_IDLE;
 396                         if (issue_char(wsi, '.') < 0)
 397                                 return -1;
 398                         break;
 399
 400                 case URIPS_SEEN_SLASH_DOT_DOT:
 401                         /* swallow prior .. chars and any subsequent . */
 402                         if (c == '.')
 403                                 goto swallow;
 404                         /* last issued was /, so another / == // */
 405                         if (c == '/')
 406                                 goto swallow;
 407                         /* last we issued was / so SEEN_SLASH */
 408                         wsi->u.hdr.ups = URIPS_SEEN_SLASH;
 409                         break;
 410                 }
 411
 412                 if (c == '?' && !enc &&
 413                     !ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS]) { /* start of URI arguments */
 414                         /* seal off uri header */
 415                         ah->data[ah->pos++] = '\0';
 416
 417                         /* move to using WSI_TOKEN_HTTP_URI_ARGS */
 418                         ah->nfrag++;
 419                         if (ah->nfrag >= ARRAY_SIZE(ah->frags))
 420                                 goto excessive;
 421                         ah->frags[ah->nfrag].offset = ah->pos;
 422                         ah->frags[ah->nfrag].len = 0;
 423                         ah->frags[ah->nfrag].nfrag = 0;
 424
 425                         wsi->u.hdr.post_literal_equal = 0;
 426                         ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS] = ah->nfrag;
 427                         wsi->u.hdr.ups = URIPS_IDLE;
 428                         goto swallow;
 429                 }
 430
 431 check_eol:
 432
 433                 /* bail at EOL */
 434                 if (wsi->u.hdr.parser_state != WSI_TOKEN_CHALLENGE &&
 435                                                                   c == '\x0d') {
 436                         c = '\0';
 437                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING_SAW_CR;
 438                         lwsl_parser("*\n");
 439                 }
 440
 441                 n = issue_char(wsi, c);
 442                 if ((int)n < 0)
 443                         return -1;
 444                 if (n > 0)
 445                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING;
 446
 447 swallow:
 448                 /* per-protocol end of headers management */
 449
 450                 if (wsi->u.hdr.parser_state == WSI_TOKEN_CHALLENGE)
 451                         goto set_parsing_complete;
 452                 break;
 453
 454                 /* collecting and checking a name part */
 455         case WSI_TOKEN_NAME_PART:
 456                 lwsl_parser("WSI_TOKEN_NAME_PART '%c' (mode=%d)\n", c, wsi->mode);
 457
 458                 wsi->u.hdr.lextable_pos =
 459                                 lextable_decode(wsi->u.hdr.lextable_pos, c);
 460                 /*
 461                  * Server needs to look out for unknown methods...
 462                  */
 463                 if (wsi->u.hdr.lextable_pos < 0 &&
 464                     wsi->mode == LWSCM_HTTP_SERVING) {
 465                         /* this is not a header we know about */
 466                         for (m = 0; m < ARRAY_SIZE(methods); m++)
 467                                 if (ah->frag_index[methods[m]]) {
 468                                         /*
 469                                          * already had the method, no idea what
 470                                          * this crap from the client is, ignore
 471                                          */
 472                                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING;
 473                                         break;
 474                                 }
 475                         /*
 476                          * hm it's an unknown http method from a client in fact,
 477                          * treat as dangerous
 478                          */
 479                         if (m == ARRAY_SIZE(methods)) {
 480                                 lwsl_info("Unknown method - dropping\n");
 481                                 return -1;
 482                         }
 483                         break;
 484                 }
 485                 /*
 486                  * ...otherwise for a client, let him ignore unknown headers
 487                  * coming from the server
 488                  */
 489                 if (wsi->u.hdr.lextable_pos < 0) {
 490                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING;
 491                         break;
 492                 }
 493
 494                 if (lextable[wsi->u.hdr.lextable_pos] < FAIL_CHAR) {
 495                         /* terminal state */
 496
 497                         n = ((unsigned int)lextable[wsi->u.hdr.lextable_pos] << 8) |
 498                                         lextable[wsi->u.hdr.lextable_pos + 1];
 499
 500                         lwsl_parser("known hdr %d\n", n);
 501                         for (m = 0; m < ARRAY_SIZE(methods); m++)
 502                                 if (n == methods[m] &&
 503                                                 ah->frag_index[
 504                                                         methods[m]]) {
 505                                         lwsl_warn("Duplicated method\n");
 506                                         return -1;
 507                                 }
 508
 509                         /*
 510                          * WSORIGIN is protocol equiv to ORIGIN,
 511                          * JWebSocket likes to send it, map to ORIGIN
 512                          */
 513                         if (n == WSI_TOKEN_SWORIGIN)
 514                                 n = WSI_TOKEN_ORIGIN;
 515
 516                         wsi->u.hdr.parser_state = (enum lws_token_indexes)
 517                                                         (WSI_TOKEN_GET_URI + n);
 518
 519                         if (context->token_limits)
 520                                 wsi->u.hdr.current_token_limit =
 521                                         context->token_limits->token_limit[
 522                                                        wsi->u.hdr.parser_state];
 523                         else
 524                                 wsi->u.hdr.current_token_limit = sizeof(ah->data);
 525
 526                         if (wsi->u.hdr.parser_state == WSI_TOKEN_CHALLENGE)
 527                                 goto set_parsing_complete;
 528
 529                         goto start_fragment;
 530                 }
 531                 break;
 532
 533 start_fragment:
 534                 ah->nfrag++;
 535 excessive:
 536                 if (ah->nfrag == ARRAY_SIZE(ah->frags)) {
 537                         lwsl_warn("More hdr frags than we can deal with\n");
 538                         return -1;
 539                 }
 540
 541                 ah->frags[ah->nfrag].offset = ah->pos;
 542                 ah->frags[ah->nfrag].len = 0;
 543                 ah->frags[ ah->nfrag].nfrag = 0;
 544
 545                 n = ah->frag_index[wsi->u.hdr.parser_state];
 546                 if (!n) { /* first fragment */
 547                         ah->frag_index[wsi->u.hdr.parser_state] = ah->nfrag;
 548                         break;
 549                 }
 550                 /* continuation */
 551                 while (ah->frags[n].nfrag)
 552                                 n = ah->frags[n].nfrag;
 553                 ah->frags[n].nfrag = ah->nfrag;
 554
 555                 if (ah->pos == sizeof(ah->data)) {
 556                         lwsl_warn("excessive header content\n");
 557                         return -1;
 558                 }
 559
 560                 ah->data[ah->pos++] = ' ';
 561                 ah->frags[ah->nfrag].len++;
 562                 break;
 563
 564                 /* skipping arg part of a name we didn't recognize */
 565         case WSI_TOKEN_SKIPPING:
 566                 lwsl_parser("WSI_TOKEN_SKIPPING '%c'\n", c);
 567
 568                 if (c == '\x0d')
 569                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING_SAW_CR;
 570                 break;
 571
 572         case WSI_TOKEN_SKIPPING_SAW_CR:
 573                 lwsl_parser("WSI_TOKEN_SKIPPING_SAW_CR '%c'\n", c);
 574                 if (c == '\x0a') {
 575                         wsi->u.hdr.parser_state = WSI_TOKEN_NAME_PART;
 576                         wsi->u.hdr.lextable_pos = 0;
 577                 } else
 578                         wsi->u.hdr.parser_state = WSI_TOKEN_SKIPPING;
 579                 break;
 580                 /* we're done, ignore anything else */
 581
 582         case WSI_PARSING_COMPLETE:
 583                 lwsl_parser("WSI_PARSING_COMPLETE '%c'\n", c);
 584                 break;
 585         }
 586
 587         return 0;
 588
 589 set_parsing_complete:
 590
 591         if (lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE)) {
 592                 if (lws_hdr_total_length(wsi, WSI_TOKEN_VERSION))
 593                         wsi->ietf_spec_revision =
 594                                atoi(lws_hdr_simple_ptr(wsi, WSI_TOKEN_VERSION));
 595
 596                 lwsl_parser("v%02d hdrs completed\n", wsi->ietf_spec_revision);
 597         }
 598         wsi->u.hdr.parser_state = WSI_PARSING_COMPLETE;
 599         wsi->hdr_parsing_completed = 1;
 600
 601         return 0;
 602 }
 603
 604
 605 /**
 606  * lws_frame_is_binary: true if the current frame was sent in binary mode
 607  *
 608  * @wsi: the connection we are inquiring about
 609  *
 610  * This is intended to be called from the LWS_CALLBACK_RECEIVE callback if
 611  * it's interested to see if the frame it's dealing with was sent in binary
 612  * mode.
 613  */
 614
 615 LWS_VISIBLE int lws_frame_is_binary(struct lws *wsi)
 616 {
 617         return wsi->u.ws.frame_is_binary;
 618 }
 619
 620 int
 621 lws_rx_sm(struct lws *wsi, unsigned char c)
 622 {
 623         struct lws_tokens eff_buf;
 624         int ret = 0;
 625         int callback_action = LWS_CALLBACK_RECEIVE;
 626
 627         switch (wsi->lws_rx_parse_state) {
 628         case LWS_RXPS_NEW:
 629
 630                 switch (wsi->ietf_spec_revision) {
 631                 case 13:
 632                         /*
 633                          * no prepended frame key any more
 634                          */
 635                         wsi->u.ws.all_zero_nonce = 1;
 636                         goto handle_first;
 637
 638                 default:
 639                         lwsl_warn("lws_rx_sm: unknown spec version %d\n",
 640                                                        wsi->ietf_spec_revision);
 641                         break;
 642                 }
 643                 break;
 644         case LWS_RXPS_04_MASK_NONCE_1:
 645                 wsi->u.ws.mask_nonce[1] = c;
 646                 if (c)
 647                         wsi->u.ws.all_zero_nonce = 0;
 648                 wsi->lws_rx_parse_state = LWS_RXPS_04_MASK_NONCE_2;
 649                 break;
 650         case LWS_RXPS_04_MASK_NONCE_2:
 651                 wsi->u.ws.mask_nonce[2] = c;
 652                 if (c)
 653                         wsi->u.ws.all_zero_nonce = 0;
 654                 wsi->lws_rx_parse_state = LWS_RXPS_04_MASK_NONCE_3;
 655                 break;
 656         case LWS_RXPS_04_MASK_NONCE_3:
 657                 wsi->u.ws.mask_nonce[3] = c;
 658                 if (c)
 659                         wsi->u.ws.all_zero_nonce = 0;
 660
 661                 /*
 662                  * start from the zero'th byte in the XOR key buffer since
 663                  * this is the start of a frame with a new key
 664                  */
 665
 666                 wsi->u.ws.frame_mask_index = 0;
 667
 668                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_1;
 669                 break;
 670
 671         /*
 672          *  04 logical framing from the spec (all this is masked when incoming
 673          *  and has to be unmasked)
 674          *
 675          * We ignore the possibility of extension data because we don't
 676          * negotiate any extensions at the moment.
 677          *
 678          *    0                   1                   2                   3
 679          *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 680          *   +-+-+-+-+-------+-+-------------+-------------------------------+
 681          *   |F|R|R|R| opcode|R| Payload len |    Extended payload length    |
 682          *   |I|S|S|S|  (4)  |S|     (7)     |             (16/63)           |
 683          *   |N|V|V|V|       |V|             |   (if payload len==126/127)   |
 684          *   | |1|2|3|       |4|             |                               |
 685          *   +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
 686          *   |     Extended payload length continued, if payload len == 127  |
 687          *   + - - - - - - - - - - - - - - - +-------------------------------+
 688          *   |                               |         Extension data        |
 689          *   +-------------------------------+ - - - - - - - - - - - - - - - +
 690          *   :                                                               :
 691          *   +---------------------------------------------------------------+
 692          *   :                       Application data                        :
 693          *   +---------------------------------------------------------------+
 694          *
 695          *  We pass payload through to userland as soon as we get it, ignoring
 696          *  FIN.  It's up to userland to buffer it up if it wants to see a
 697          *  whole unfragmented block of the original size (which may be up to
 698          *  2^63 long!)
 699          */
 700
 701         case LWS_RXPS_04_FRAME_HDR_1:
 702 handle_first:
 703
 704                 wsi->u.ws.opcode = c & 0xf;
 705                 wsi->u.ws.rsv = c & 0x70;
 706                 wsi->u.ws.final = !!((c >> 7) & 1);
 707
 708                 switch (wsi->u.ws.opcode) {
 709                 case LWSWSOPC_TEXT_FRAME:
 710                 case LWSWSOPC_BINARY_FRAME:
 711                         wsi->u.ws.frame_is_binary =
 712                              wsi->u.ws.opcode == LWSWSOPC_BINARY_FRAME;
 713                         break;
 714                 }
 715                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN;
 716                 break;
 717
 718         case LWS_RXPS_04_FRAME_HDR_LEN:
 719
 720                 wsi->u.ws.this_frame_masked = !!(c & 0x80);
 721
 722                 switch (c & 0x7f) {
 723                 case 126:
 724                         /* control frames are not allowed to have big lengths */
 725                         if (wsi->u.ws.opcode & 8)
 726                                 goto illegal_ctl_length;
 727
 728                         wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN16_2;
 729                         break;
 730                 case 127:
 731                         /* control frames are not allowed to have big lengths */
 732                         if (wsi->u.ws.opcode & 8)
 733                                 goto illegal_ctl_length;
 734
 735                         wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_8;
 736                         break;
 737                 default:
 738                         wsi->u.ws.rx_packet_length = c & 0x7f;
 739                         if (wsi->u.ws.this_frame_masked)
 740                                 wsi->lws_rx_parse_state =
 741                                                 LWS_RXPS_07_COLLECT_FRAME_KEY_1;
 742                         else
 743                                 if (wsi->u.ws.rx_packet_length)
 744                                         wsi->lws_rx_parse_state =
 745                                         LWS_RXPS_PAYLOAD_UNTIL_LENGTH_EXHAUSTED;
 746                                 else {
 747                                         wsi->lws_rx_parse_state = LWS_RXPS_NEW;
 748                                         goto spill;
 749                                 }
 750                         break;
 751                 }
 752                 break;
 753
 754         case LWS_RXPS_04_FRAME_HDR_LEN16_2:
 755                 wsi->u.ws.rx_packet_length = c << 8;
 756                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN16_1;
 757                 break;
 758
 759         case LWS_RXPS_04_FRAME_HDR_LEN16_1:
 760                 wsi->u.ws.rx_packet_length |= c;
 761                 if (wsi->u.ws.this_frame_masked)
 762                         wsi->lws_rx_parse_state =
 763                                         LWS_RXPS_07_COLLECT_FRAME_KEY_1;
 764                 else
 765                         wsi->lws_rx_parse_state =
 766                                 LWS_RXPS_PAYLOAD_UNTIL_LENGTH_EXHAUSTED;
 767                 break;
 768
 769         case LWS_RXPS_04_FRAME_HDR_LEN64_8:
 770                 if (c & 0x80) {
 771                         lwsl_warn("b63 of length must be zero\n");
 772                         /* kill the connection */
 773                         return -1;
 774                 }
 775 #if defined __LP64__
 776                 wsi->u.ws.rx_packet_length = ((size_t)c) << 56;
 777 #else
 778                 wsi->u.ws.rx_packet_length = 0;
 779 #endif
 780                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_7;
 781                 break;
 782
 783         case LWS_RXPS_04_FRAME_HDR_LEN64_7:
 784 #if defined __LP64__
 785                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 48;
 786 #endif
 787                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_6;
 788                 break;
 789
 790         case LWS_RXPS_04_FRAME_HDR_LEN64_6:
 791 #if defined __LP64__
 792                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 40;
 793 #endif
 794                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_5;
 795                 break;
 796
 797         case LWS_RXPS_04_FRAME_HDR_LEN64_5:
 798 #if defined __LP64__
 799                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 32;
 800 #endif
 801                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_4;
 802                 break;
 803
 804         case LWS_RXPS_04_FRAME_HDR_LEN64_4:
 805                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 24;
 806                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_3;
 807                 break;
 808
 809         case LWS_RXPS_04_FRAME_HDR_LEN64_3:
 810                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 16;
 811                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_2;
 812                 break;
 813
 814         case LWS_RXPS_04_FRAME_HDR_LEN64_2:
 815                 wsi->u.ws.rx_packet_length |= ((size_t)c) << 8;
 816                 wsi->lws_rx_parse_state = LWS_RXPS_04_FRAME_HDR_LEN64_1;
 817                 break;
 818
 819         case LWS_RXPS_04_FRAME_HDR_LEN64_1:
 820                 wsi->u.ws.rx_packet_length |= ((size_t)c);
 821                 if (wsi->u.ws.this_frame_masked)
 822                         wsi->lws_rx_parse_state =
 823                                         LWS_RXPS_07_COLLECT_FRAME_KEY_1;
 824                 else
 825                         wsi->lws_rx_parse_state =
 826                                 LWS_RXPS_PAYLOAD_UNTIL_LENGTH_EXHAUSTED;
 827                 break;
 828
 829         case LWS_RXPS_07_COLLECT_FRAME_KEY_1:
 830                 wsi->u.ws.mask_nonce[0] = c;
 831                 if (c)
 832                         wsi->u.ws.all_zero_nonce = 0;
 833                 wsi->lws_rx_parse_state = LWS_RXPS_07_COLLECT_FRAME_KEY_2;
 834                 break;
 835
 836         case LWS_RXPS_07_COLLECT_FRAME_KEY_2:
 837                 wsi->u.ws.mask_nonce[1] = c;
 838                 if (c)
 839                         wsi->u.ws.all_zero_nonce = 0;
 840                 wsi->lws_rx_parse_state = LWS_RXPS_07_COLLECT_FRAME_KEY_3;
 841                 break;
 842
 843         case LWS_RXPS_07_COLLECT_FRAME_KEY_3:
 844                 wsi->u.ws.mask_nonce[2] = c;
 845                 if (c)
 846                         wsi->u.ws.all_zero_nonce = 0;
 847                 wsi->lws_rx_parse_state = LWS_RXPS_07_COLLECT_FRAME_KEY_4;
 848                 break;
 849
 850         case LWS_RXPS_07_COLLECT_FRAME_KEY_4:
 851                 wsi->u.ws.mask_nonce[3] = c;
 852                 if (c)
 853                         wsi->u.ws.all_zero_nonce = 0;
 854                 wsi->lws_rx_parse_state =
 855                                         LWS_RXPS_PAYLOAD_UNTIL_LENGTH_EXHAUSTED;
 856                 wsi->u.ws.frame_mask_index = 0;
 857                 if (wsi->u.ws.rx_packet_length == 0) {
 858                         wsi->lws_rx_parse_state = LWS_RXPS_NEW;
 859                         goto spill;
 860                 }
 861                 break;
 862
 863
 864         case LWS_RXPS_PAYLOAD_UNTIL_LENGTH_EXHAUSTED:
 865
 866                 if (!wsi->u.ws.rx_user_buffer) {
 867                         lwsl_err("NULL user buffer...\n");
 868                         return 1;
 869                 }
 870
 871                 if (wsi->u.ws.all_zero_nonce)
 872                         wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING +
 873                                (wsi->u.ws.rx_user_buffer_head++)] = c;
 874                 else
 875                         wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING +
 876                                (wsi->u.ws.rx_user_buffer_head++)] =
 877                                    c ^ wsi->u.ws.mask_nonce[
 878                                             (wsi->u.ws.frame_mask_index++) & 3];
 879
 880                 if (--wsi->u.ws.rx_packet_length == 0) {
 881                         /* spill because we have the whole frame */
 882                         wsi->lws_rx_parse_state = LWS_RXPS_NEW;
 883                         goto spill;
 884                 }
 885
 886                 /*
 887                  * if there's no protocol max frame size given, we are
 888                  * supposed to default to LWS_MAX_SOCKET_IO_BUF
 889                  */
 890
 891                 if (!wsi->protocol->rx_buffer_size &&
 892                                         wsi->u.ws.rx_user_buffer_head !=
 893                                                           LWS_MAX_SOCKET_IO_BUF)
 894                         break;
 895                 else
 896                         if (wsi->protocol->rx_buffer_size &&
 897                                         wsi->u.ws.rx_user_buffer_head !=
 898                                                   wsi->protocol->rx_buffer_size)
 899                         break;
 900
 901                 /* spill because we filled our rx buffer */
 902 spill:
 903                 /*
 904                  * is this frame a control packet we should take care of at this
 905                  * layer?  If so service it and hide it from the user callback
 906                  */
 907
 908                 lwsl_parser("spill on %s\n", wsi->protocol->name);
 909
 910                 switch (wsi->u.ws.opcode) {
 911                 case LWSWSOPC_CLOSE:
 912                         /* is this an acknowledgement of our close? */
 913                         if (wsi->state == LWSS_AWAITING_CLOSE_ACK) {
 914                                 /*
 915                                  * fine he has told us he is closing too, let's
 916                                  * finish our close
 917                                  */
 918                                 lwsl_parser("seen client close ack\n");
 919                                 return -1;
 920                         }
 921                         if (wsi->state == LWSS_RETURNED_CLOSE_ALREADY)
 922                                 /* if he sends us 2 CLOSE, kill him */
 923                                 return -1;
 924
 925                         lwsl_parser("server sees client close packet\n");
 926                         wsi->state = LWSS_RETURNED_CLOSE_ALREADY;
 927                         /* deal with the close packet contents as a PONG */
 928                         wsi->u.ws.payload_is_close = 1;
 929                         goto process_as_ping;
 930
 931                 case LWSWSOPC_PING:
 932                         lwsl_info("received %d byte ping, sending pong\n",
 933                                                  wsi->u.ws.rx_user_buffer_head);
 934
 935                         if (wsi->u.ws.ping_pending_flag) {
 936                                 /*
 937                                  * there is already a pending ping payload
 938                                  * we should just log and drop
 939                                  */
 940                                 lwsl_parser("DROP PING since one pending\n");
 941                                 goto ping_drop;
 942                         }
 943 process_as_ping:
 944                         /* control packets can only be < 128 bytes long */
 945                         if (wsi->u.ws.rx_user_buffer_head > 128 - 4) {
 946                                 lwsl_parser("DROP PING payload too large\n");
 947                                 goto ping_drop;
 948                         }
 949
 950                         /* if existing buffer is too small, drop it */
 951                         if (wsi->u.ws.ping_payload_buf &&
 952                             wsi->u.ws.ping_payload_alloc < wsi->u.ws.rx_user_buffer_head) {
 953                                 lws_free_set_NULL(wsi->u.ws.ping_payload_buf);
 954                         }
 955
 956                         /* if no buffer, allocate it */
 957                         if (!wsi->u.ws.ping_payload_buf) {
 958                                 wsi->u.ws.ping_payload_buf = lws_malloc(wsi->u.ws.rx_user_buffer_head
 959                                                                         + LWS_SEND_BUFFER_PRE_PADDING);
 960                                 wsi->u.ws.ping_payload_alloc = wsi->u.ws.rx_user_buffer_head;
 961                         }
 962
 963                         /* stash the pong payload */
 964                         memcpy(wsi->u.ws.ping_payload_buf + LWS_SEND_BUFFER_PRE_PADDING,
 965                                &wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING],
 966                                 wsi->u.ws.rx_user_buffer_head);
 967
 968                         wsi->u.ws.ping_payload_len = wsi->u.ws.rx_user_buffer_head;
 969                         wsi->u.ws.ping_pending_flag = 1;
 970
 971                         /* get it sent as soon as possible */
 972                         lws_callback_on_writable(wsi);
 973 ping_drop:
 974                         wsi->u.ws.rx_user_buffer_head = 0;
 975                         return 0;
 976
 977                 case LWSWSOPC_PONG:
 978                         lwsl_info("received pong\n");
 979                         lwsl_hexdump(&wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING],
 980                                      wsi->u.ws.rx_user_buffer_head);
 981
 982                         /* issue it */
 983                         callback_action = LWS_CALLBACK_RECEIVE_PONG;
 984                         break;
 985
 986                 case LWSWSOPC_TEXT_FRAME:
 987                 case LWSWSOPC_BINARY_FRAME:
 988                 case LWSWSOPC_CONTINUATION:
 989                         break;
 990
 991                 default:
 992                         lwsl_parser("passing opc %x up to exts\n",
 993                                                         wsi->u.ws.opcode);
 994                         /*
 995                          * It's something special we can't understand here.
 996                          * Pass the payload up to the extension's parsing
 997                          * state machine.
 998                          */
 999
1000                         eff_buf.token = &wsi->u.ws.rx_user_buffer[
1001                                                    LWS_SEND_BUFFER_PRE_PADDING];
1002                         eff_buf.token_len = wsi->u.ws.rx_user_buffer_head;
1003
1004                         if (lws_ext_cb_wsi_active_exts(wsi,
1005                                 LWS_EXT_CALLBACK_EXTENDED_PAYLOAD_RX,
1006                                         &eff_buf, 0) <= 0) /* not handle or fail */
1007                                 lwsl_ext("ext opc opcode 0x%x unknown\n",
1008                                                               wsi->u.ws.opcode);
1009
1010                         wsi->u.ws.rx_user_buffer_head = 0;
1011                         return 0;
1012                 }
1013
1014                 /*
1015                  * No it's real payload, pass it up to the user callback.
1016                  * It's nicely buffered with the pre-padding taken care of
1017                  * so it can be sent straight out again using lws_write
1018                  */
1019
1020                 eff_buf.token = &wsi->u.ws.rx_user_buffer[
1021                                                 LWS_SEND_BUFFER_PRE_PADDING];
1022                 eff_buf.token_len = wsi->u.ws.rx_user_buffer_head;
1023
1024                 if (lws_ext_cb_wsi_active_exts(wsi,
1025                                 LWS_EXT_CALLBACK_PAYLOAD_RX, &eff_buf, 0) < 0)
1026                         return -1;
1027
1028                 if (eff_buf.token_len > 0 ||
1029                     callback_action == LWS_CALLBACK_RECEIVE_PONG) {
1030                         eff_buf.token[eff_buf.token_len] = '\0';
1031
1032                         if (wsi->protocol->callback) {
1033
1034                                 if (callback_action == LWS_CALLBACK_RECEIVE_PONG)
1035                                     lwsl_info("Doing pong callback\n");
1036
1037                                 ret = user_callback_handle_rxflow(
1038                                                 wsi->protocol->callback,
1039                                                 wsi,
1040                                                 (enum lws_callback_reasons)callback_action,
1041                                                 wsi->user_space,
1042                                                 eff_buf.token,
1043                                                 eff_buf.token_len);
1044                         }
1045                         else
1046                                 lwsl_err("No callback on payload spill!\n");
1047                 }
1048
1049                 wsi->u.ws.rx_user_buffer_head = 0;
1050                 break;
1051         }
1052
1053         return ret;
1054
1055 illegal_ctl_length:
1056
1057         lwsl_warn("Control frame with xtended length is illegal\n");
1058         /* kill the connection */
1059         return -1;
1060 }
1061
1062
1063 /**
1064  * lws_remaining_packet_payload() - Bytes to come before "overall"
1065  *                                            rx packet is complete
1066  * @wsi:                Websocket instance (available from user callback)
1067  *
1068  *      This function is intended to be called from the callback if the
1069  *  user code is interested in "complete packets" from the client.
1070  *  libwebsockets just passes through payload as it comes and issues a buffer
1071  *  additionally when it hits a built-in limit.  The LWS_CALLBACK_RECEIVE
1072  *  callback handler can use this API to find out if the buffer it has just
1073  *  been given is the last piece of a "complete packet" from the client --
1074  *  when that is the case lws_remaining_packet_payload() will return
1075  *  0.
1076  *
1077  *  Many protocols won't care becuse their packets are always small.
1078  */
1079
1080 LWS_VISIBLE size_t
1081 lws_remaining_packet_payload(struct lws *wsi)
1082 {
1083         return wsi->u.ws.rx_packet_length;
1084 }