From 9928cccdb6571149340984c0d1cbc264ad82398a Mon Sep 17 00:00:00 2001 From: Andy Green Date: Tue, 12 Jan 2016 23:05:02 +0800 Subject: [PATCH] fuzzer rx overflow mitigate Signed-off-by: Andy Green --- lib/client.c | 1 + lib/parsers.c | 4 ++++ lib/private-libwebsockets.h | 1 + lib/server.c | 1 + 4 files changed, 7 insertions(+) diff --git a/lib/client.c b/lib/client.c index 35d3f7a..344cf6f 100644 --- a/lib/client.c +++ b/lib/client.c @@ -813,6 +813,7 @@ check_accept: lwsl_err("Out of Mem allocating rx buffer %d\n", n); goto bail2; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating client RX buffer %d\n", n); if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, diff --git a/lib/parsers.c b/lib/parsers.c index 7170620..93a1210 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -1016,6 +1016,10 @@ handle_first: assert(wsi->u.ws.rx_ubuf); + if (wsi->u.ws.rx_ubuf_head + LWS_PRE + 4 >= wsi->u.ws.rx_ubuf_alloc) { + lwsl_err("Attempted overflow\n"); + return -1; + } if (wsi->u.ws.all_zero_nonce) wsi->u.ws.rx_ubuf[LWS_PRE + (wsi->u.ws.rx_ubuf_head++)] = c; diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index e618a13..d7f069c 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -840,6 +840,7 @@ struct _lws_header_related { struct _lws_websocket_related { char *rx_ubuf; + unsigned int rx_ubuf_alloc; struct lws *rx_draining_ext_list; struct lws *tx_draining_ext_list; size_t rx_packet_length; diff --git a/lib/server.c b/lib/server.c index 0715645..d535b81 100644 --- a/lib/server.c +++ b/lib/server.c @@ -545,6 +545,7 @@ upgrade_ws: lwsl_err("Out of Mem allocating rx buffer %d\n", n); return 1; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating RX buffer %d\n", n); #if LWS_POSIX if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, -- 2.7.4