Bug 1351948 - Refuse ws messages that don't use minimal encoding. r=michal
authorHideki Takeoka <iichikolamp@gmail.com>
Mon, 03 Apr 2017 10:49:22 -0400
changeset 555410 6553dcb0df0cdae8cc9d68ae47fa04ca28aaf8c2
parent 555409 5a8eea2b095eb12eb482a31e019b11d0925bcee8
child 555411 a7e88ab4d4bd7b48e80383a1386a838b7915fee9
push id52236
push usercykesiopka.bmo@gmail.com
push dateTue, 04 Apr 2017 09:12:57 +0000
reviewersmichal
bugs1351948
milestone55.0a1
Bug 1351948 - Refuse ws messages that don't use minimal encoding. r=michal
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1546,31 +1546,47 @@ WebSocketChannel::ProcessInput(uint8_t *
         break;
     } else if (payloadLength64 == 126) {
       // 16 bit length field
       framingLength += 2;
       if (avail < framingLength)
         break;
 
       payloadLength64 = mFramePtr[2] << 8 | mFramePtr[3];
+
+      if(payloadLength64 < 126){
+        // Section 5.2 says that the minimal number of bytes MUST
+        // be used to encode the length in all cases
+        LOG(("WebSocketChannel:: non-minimal-encoded payload length"));
+        return NS_ERROR_ILLEGAL_VALUE;
+      }
+
     } else {
       // 64 bit length
       framingLength += 8;
       if (avail < framingLength)
         break;
 
       if (mFramePtr[2] & 0x80) {
         // Section 4.2 says that the most significant bit MUST be
         // 0. (i.e. this is really a 63 bit value)
         LOG(("WebSocketChannel:: high bit of 64 bit length set"));
         return NS_ERROR_ILLEGAL_VALUE;
       }
 
       // copy this in case it is unaligned
       payloadLength64 = NetworkEndian::readInt64(mFramePtr + 2);
+
+      if(payloadLength64 <= 0xffff){
+        // Section 5.2 says that the minimal number of bytes MUST
+        // be used to encode the length in all cases
+        LOG(("WebSocketChannel:: non-minimal-encoded payload length"));
+        return NS_ERROR_ILLEGAL_VALUE;
+      }
+
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %" PRId64 " avail %" PRIu32 "\n",
          payloadLength64, avail));