author | Hideki Takeoka <iichikolamp@gmail.com> |
Mon, 03 Apr 2017 10:49:22 -0400 (2017-04-03) | |
changeset 351078 | 6553dcb0df0cdae8cc9d68ae47fa04ca28aaf8c2 |
parent 351077 | 5a8eea2b095eb12eb482a31e019b11d0925bcee8 |
child 351079 | a7e88ab4d4bd7b48e80383a1386a838b7915fee9 |
push id | 31599 |
push user | cbook@mozilla.com |
push date | Tue, 04 Apr 2017 10:35:26 +0000 (2017-04-04) |
treeherder | mozilla-central@891981e67948 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | michal |
bugs | 1351948 |
milestone | 55.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp +++ b/netwerk/protocol/websocket/WebSocketChannel.cpp @@ -1546,31 +1546,47 @@ WebSocketChannel::ProcessInput(uint8_t * break; } else if (payloadLength64 == 126) { // 16 bit length field framingLength += 2; if (avail < framingLength) break; payloadLength64 = mFramePtr[2] << 8 | mFramePtr[3]; + + if(payloadLength64 < 126){ + // Section 5.2 says that the minimal number of bytes MUST + // be used to encode the length in all cases + LOG(("WebSocketChannel:: non-minimal-encoded payload length")); + return NS_ERROR_ILLEGAL_VALUE; + } + } else { // 64 bit length framingLength += 8; if (avail < framingLength) break; if (mFramePtr[2] & 0x80) { // Section 4.2 says that the most significant bit MUST be // 0. (i.e. this is really a 63 bit value) LOG(("WebSocketChannel:: high bit of 64 bit length set")); return NS_ERROR_ILLEGAL_VALUE; } // copy this in case it is unaligned payloadLength64 = NetworkEndian::readInt64(mFramePtr + 2); + + if(payloadLength64 <= 0xffff){ + // Section 5.2 says that the minimal number of bytes MUST + // be used to encode the length in all cases + LOG(("WebSocketChannel:: non-minimal-encoded payload length")); + return NS_ERROR_ILLEGAL_VALUE; + } + } payload = mFramePtr + framingLength; avail -= framingLength; LOG(("WebSocketChannel::ProcessInput: payload %" PRId64 " avail %" PRIu32 "\n", payloadLength64, avail));