Bug 1351948 - Refuse ws messages that don't use minimal encoding. r=michal
authorHideki Takeoka <iichikolamp@gmail.com>
Mon, 03 Apr 2017 10:49:22 -0400 (2017-04-03)
changeset 351078 6553dcb0df0cdae8cc9d68ae47fa04ca28aaf8c2
parent 351077 5a8eea2b095eb12eb482a31e019b11d0925bcee8
child 351079 a7e88ab4d4bd7b48e80383a1386a838b7915fee9
push id31599
push usercbook@mozilla.com
push dateTue, 04 Apr 2017 10:35:26 +0000 (2017-04-04)
treeherdermozilla-central@891981e67948 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmichal
bugs1351948
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1351948 - Refuse ws messages that don't use minimal encoding. r=michal
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1546,31 +1546,47 @@ WebSocketChannel::ProcessInput(uint8_t *
         break;
     } else if (payloadLength64 == 126) {
       // 16 bit length field
       framingLength += 2;
       if (avail < framingLength)
         break;
 
       payloadLength64 = mFramePtr[2] << 8 | mFramePtr[3];
+
+      if(payloadLength64 < 126){
+        // Section 5.2 says that the minimal number of bytes MUST
+        // be used to encode the length in all cases
+        LOG(("WebSocketChannel:: non-minimal-encoded payload length"));
+        return NS_ERROR_ILLEGAL_VALUE;
+      }
+
     } else {
       // 64 bit length
       framingLength += 8;
       if (avail < framingLength)
         break;
 
       if (mFramePtr[2] & 0x80) {
         // Section 4.2 says that the most significant bit MUST be
         // 0. (i.e. this is really a 63 bit value)
         LOG(("WebSocketChannel:: high bit of 64 bit length set"));
         return NS_ERROR_ILLEGAL_VALUE;
       }
 
       // copy this in case it is unaligned
       payloadLength64 = NetworkEndian::readInt64(mFramePtr + 2);
+
+      if(payloadLength64 <= 0xffff){
+        // Section 5.2 says that the minimal number of bytes MUST
+        // be used to encode the length in all cases
+        LOG(("WebSocketChannel:: non-minimal-encoded payload length"));
+        return NS_ERROR_ILLEGAL_VALUE;
+      }
+
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %" PRId64 " avail %" PRIu32 "\n",
          payloadLength64, avail));