[Webkit-unassigned] [Bug 51253] New: WebSockets: unbounded buffer growth when server sends bad data
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 17 07:55:10 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51253
Summary: WebSockets: unbounded buffer growth when server sends
bad data
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://bohuco.net/dev/websocket/
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jmason at rim.com
If a server sends data with an embedded NULL before the handshake, the socket will stay in the "connecting" state and buffer all data sent to it. The reason is this clause in WebSocketHandshake::readServerHandshake:
if (!strnstr(header, "\r\n\r\n", len)) {
// Just hasn't been received fully yet.
m_mode = Incomplete;
return -1;
}
strnstr stops searching at the first NULL, so if one is found before \r\n\r\n then the client will continue to read more data and then search the same segment of the buffer for \r\n\r\n.
This can be seen on http://bohuco.net/dev/websocket/, whose server has a race condition: every time data is received from one connected socket it is echoed to all connected sockets without checking their state, even those that have not completed a handshake. So it's possible for the first bytes received by a client to be a WebSocket frame, which begins with NULL. (To test this, open a window to http://bohuco.net/dev/websocket/ and move the mouse continuously in it while connecting to the same site in another window. It will trigger the race condition at least half the time.)
The correct thing to do is disconnect immediately when the invalid frame is received from the server instead of the handshake.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list