[webkit-reviews] review requested: [Bug 51253] WebSockets: unbounded buffer growth when server sends bad data : [Attachment 76879] patch to check beginning bytes of buffer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 17 08:02:42 PST 2010
Joe Mason <jmason at rim.com> has asked for review:
Bug 51253: WebSockets: unbounded buffer growth when server sends bad data
https://bugs.webkit.org/show_bug.cgi?id=51253
Attachment 76879: patch to check beginning bytes of buffer
https://bugs.webkit.org/attachment.cgi?id=76879&action=review
------- Additional Comments from Joe Mason <jmason at rim.com>
My solution is to check the exact beginning bytes of the buffer for "HTTP/"
before calling strnstr. This makes sure that if a websocket frame without a
handshake is sent it will disconnect immediately, and is safer before the
existing handshake parser could accept other line-oriented protocols with
different text before the first space.
It just occurred to me that this fix still us vulnerable to a server that sends
"HTTP/\0".
Unfortunately, I haven't had time to create a test case, but I wanted to file
this before going on vacation tomorrow.
More information about the webkit-reviews
mailing list