Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in ws_read() #69

Closed
ghost opened this issue Sep 11, 2018 · 6 comments
Closed

Buffer overflow in ws_read() #69

ghost opened this issue Sep 11, 2018 · 6 comments

Comments

@ghost
Copy link

ghost commented Sep 11, 2018

A buffer overflow occurs when a websocket frame is bigger then the receive buffer is received.

len holds the read buffer length. rlen represents the number of bytes read and should be equal or smaller then len. payload_len is extracted out of the received data and is used to process the received data.

However payload_len is never checked against rlen. This results into a buffer overflow when a websocket frame bigger then the receive buffer is received.
@david-cermak
Copy link
Collaborator

Hi Oscar,

it was already fixed on an idf branch, but will be merged to master once IDFv3.2 is released.

Latest IDF already refers to the fixed esp-mqtt, so if you can please check the esp-idf master (no need to add esp-mqtt) and see the issue fixed, might you help closing this issue, please?

Thank you,
David

@ghost
Copy link
Author

ghost commented Oct 14, 2018

Hi David,

I'm no longer working on the project that encountered this bug, but I will try to persuade my colleague to test the fix.

Is there an estimated release date for v3.2?

Kind regards,
Oscar

@david-cermak
Copy link
Collaborator

Hi, Not a planned release date for IDFv3.2 yet, but we can expect somewhere in late November.

Thanks for mentioning to your colleagues 👍

Regards,
David

@jejer
Copy link

jejer commented Jan 2, 2019

Hi guys,
Please check rlen and enhance entire ws_read().
I could not see the fix in esp-idf master branch, could you point out which branch included the fix?

@david-cermak
Copy link
Collaborator

Hi @jejer

This fix is still in esp internal repo, but updated the commit message so will get notified once it's merged and published to GitHub

The fix I was talking about in October addressed only longer messages (this is handed correctly in mqtt_client.c when reading payload only by underlying transport -- tcp for ws). however there's still an issue if multiple shorter websocket messages reside in one read buffer and that must be handled in idf in ws_read()

@jejer
Copy link

jejer commented Jan 4, 2019
edited
Loading

Hi @david-cermak
Thanks for your info.
I have written a private ws_client according to the existing one for my project.
Included the rlen check and read frame by frame.

jejer pushed a commit to jejer/esp-epd that referenced this issue Jan 8, 2019
add websocket client demo. websocket does not works well: espressif/e…
b64ba5b 
…sp-mqtt#69
igrr pushed a commit to espressif/esp-idf that referenced this issue Apr 2, 2019
@david-cermak
tcp_transport: modification of ws to read headers first in order to r…
9ebaf36 
…ead the exact payload

closes espressif/esp-mqtt#69
catalinio pushed a commit to catalinio/pycom-esp-idf that referenced this issue Jun 28, 2019
@david-cermak
tcp_transport: modification of ws to read headers first in order to r…
e731610 
…ead the exact payload

closes espressif/esp-mqtt#69
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jejer @david-cermak