[webkit-reviews] review requested: [Bug 51253] WebSockets: unbounded buffer growth when server sends bad data : [Attachment 76879] patch to check beginning bytes of buffer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 17 08:02:42 PST 2010


Joe Mason <jmason at rim.com> has asked  for review:
Bug 51253: WebSockets: unbounded buffer growth when server sends bad data
https://bugs.webkit.org/show_bug.cgi?id=51253

Attachment 76879: patch to check beginning bytes of buffer
https://bugs.webkit.org/attachment.cgi?id=76879&action=review

------- Additional Comments from Joe Mason <jmason at rim.com>
My solution is to check the exact beginning bytes of the buffer for "HTTP/"
before calling strnstr.  This makes sure that if a websocket frame without a
handshake is sent it will disconnect immediately, and is safer before the
existing handshake parser could accept other line-oriented protocols with
different text before the first space.

It just occurred to me that this fix still us vulnerable to a server that sends
"HTTP/\0".

Unfortunately, I haven't had time to create a test case, but I wanted to file
this before going on vacation tomorrow.


More information about the webkit-reviews mailing list