From 4fabe253a1eb0f9b494521cfa98365523a93adcf Mon Sep 17 00:00:00 2001 From: Armen Babikyan Date: Thu, 25 Jan 2018 17:36:55 -0800 Subject: [PATCH] websocket: check bounds before reading mask --- src/modules/websocket/ws_frame.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/modules/websocket/ws_frame.c b/src/modules/websocket/ws_frame.c index 9bc32686013..32a1f4bf6a6 100644 --- a/src/modules/websocket/ws_frame.c +++ b/src/modules/websocket/ws_frame.c @@ -470,13 +470,6 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame, } else mask_start = 2; - /* Decode mask */ - frame->masking_key[0] = (buf[mask_start + 0] & 0xff); - frame->masking_key[1] = (buf[mask_start + 1] & 0xff); - frame->masking_key[2] = (buf[mask_start + 2] & 0xff); - frame->masking_key[3] = (buf[mask_start + 3] & 0xff); - - /* Decode and unmask payload */ if((unsigned long long)len != (unsigned long long)frame->payload_len + mask_start + 4) { LM_WARN("message not complete frame size %u but received %u\n", @@ -492,7 +485,15 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame, *err_text = str_status_message_too_big; return -1; } + /* Decode mask */ + frame->masking_key[0] = (buf[mask_start + 0] & 0xff); + frame->masking_key[1] = (buf[mask_start + 1] & 0xff); + frame->masking_key[2] = (buf[mask_start + 2] & 0xff); + frame->masking_key[3] = (buf[mask_start + 3] & 0xff); + frame->payload_data = &buf[mask_start + 4]; + + /* Decode and unmask payload */ for(i = 0; i < frame->payload_len; i++) { j = i % 4; frame->payload_data[i] = frame->payload_data[i] ^ frame->masking_key[j];