lws_write: report and reject suspicious lengths

author Andy Green <andy@warmcat.com>

Mon, 8 May 2017 02:49:10 +0000 (10:49 +0800)

committer Andy Green <andy@warmcat.com>

Tue, 9 May 2017 06:18:40 +0000 (14:18 +0800)
author Andy Green <andy@warmcat.com>
Mon, 8 May 2017 02:49:10 +0000 (10:49 +0800)
committer Andy Green <andy@warmcat.com>
Tue, 9 May 2017 06:18:40 +0000 (14:18 +0800)
diff --git a/lib/output.c b/lib/output.c

index c77b5c0..a41b0e0 100644 (file)
--- a/lib/output.c
+++ b/lib/output.c
@@ -244,6 +244,12 @@ LWS_VISIBLE int lws_write(struct lws *wsi, unsigned char *buf, size_t len,
         int pre = 0, n;
         size_t orig_len = len;
  
+       if ((int)len < 0) {
+               lwsl_err("%s: suspicious len int %d, ulong %lu\n", __func__,
+                               (int)len, (unsigned long)len);
+               return -1;
+       }
+
  #ifdef LWS_WITH_ACCESS_LOG
         wsi->access_log.sent += len;
  #endif
author	Andy Green <andy@warmcat.com>
	Mon, 8 May 2017 02:49:10 +0000 (10:49 +0800)
committer	Andy Green <andy@warmcat.com>
	Tue, 9 May 2017 06:18:40 +0000 (14:18 +0800)