Don't inflate more than ~16mb, drop connection on inflate error

uNetworking · Oct 13, 2016 · 37deefd · 37deefd
1 parent 678d890
commit 37deefd
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/src/Hub.cpp b/src/Hub.cpp
@@ -2,6 +2,8 @@
 #include "HTTPSocket.h"
 #include <openssl/sha.h>
 
+static const int INFLATE_LESS_THAN_ROUGHLY = 16777216;
+
 namespace uWS {
 
 char *Hub::inflate(char *data, size_t &length) {
@@ -18,12 +20,13 @@ char *Hub::inflate(char *data, size_t &length) {
         if (!inflationStream.avail_in) {
             break;
         }
+
         dynamicInflationBuffer.append(inflationBuffer, LARGE_BUFFER_SIZE - inflationStream.avail_out);
-    } while (err == Z_BUF_ERROR);
+    } while (err == Z_BUF_ERROR && dynamicInflationBuffer.length() <= INFLATE_LESS_THAN_ROUGHLY);
 
     inflateReset(&inflationStream);
 
-    if (err != Z_BUF_ERROR && err != Z_OK) {
+    if ((err != Z_BUF_ERROR && err != Z_OK) || dynamicInflationBuffer.length() > INFLATE_LESS_THAN_ROUGHLY) {
         length = 0;
         return nullptr;
     }

diff --git a/src/WebSocketImpl.cpp b/src/WebSocketImpl.cpp
@@ -36,6 +36,10 @@ bool WebSocketProtocol<isServer>::handleFragment(char *data, size_t length, unsi
                 webSocketData->compressionStatus = WebSocket<isServer>::Data::CompressionStatus::ENABLED;
                 Hub *hub = ((Group<isServer> *) s.getSocketData()->nodeData)->hub;
                 data = hub->inflate(data, length);
+                if (!data) {
+                    forceClose(user);
+                    return true;
+                }
             }
 
             if (opCode == 1 && !isValidUtf8((unsigned char *) data, length)) {
@@ -56,6 +60,10 @@ bool WebSocketProtocol<isServer>::handleFragment(char *data, size_t length, unsi
                     Hub *hub = ((Group<isServer> *) s.getSocketData()->nodeData)->hub;
                     webSocketData->fragmentBuffer.append("....");
                     data = hub->inflate((char *) webSocketData->fragmentBuffer.data(), length);
+                    if (!data) {
+                        forceClose(user);
+                        return true;
+                    }
                 } else {
                     data = (char *) webSocketData->fragmentBuffer.data();
                 }