Permalink
Browse files

Fix segfaulting bug in frame parser.

An invalid SYN_STREAM with too short frame length could segfault the
application, arguabely due to a bug in experimental version of binary.
  • Loading branch information...
1 parent 477685f commit 6e90d6cedc0dcd81df01393d70e867a97d2ad66a @kolmodin committed Feb 28, 2012
Showing with 4 additions and 2 deletions.
  1. +4 −2 Network/SPDY/Frame.hs
@@ -139,8 +139,10 @@ getSynStream header = do
synStreamFrameAssociatedStreamID <- getWord32be 31
synStreamFramePriority <- getWord8 2
_ <- getWord16be 14
- synStreamFrameNVHCompressed <-
- getByteString (fromIntegral (controlFrameLength header) - 10)
+ let nvhLength = fromIntegral (controlFrameLength header) - 10
+ unless (nvhLength >= 1) $
+ fail $ "SYN_STREAM: frame length too short, length = " ++ show nvhLength
+ synStreamFrameNVHCompressed <- getByteString nvhLength
return SynStreamControlFrame { .. }
getSynReplyStream :: ControlFrameHeader -> BitGet Frame

0 comments on commit 6e90d6c

Please sign in to comment.