[Webkit-unassigned] [Bug 51253] WebSockets: unbounded buffer growth when server sends bad data
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 17 08:02:43 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51253
Joe Mason <jmason at rim.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #76879| |review?
Flag| |
--- Comment #1 from Joe Mason <jmason at rim.com> 2010-12-17 08:02:43 PST ---
Created an attachment (id=76879)
--> (https://bugs.webkit.org/attachment.cgi?id=76879&action=review)
patch to check beginning bytes of buffer
My solution is to check the exact beginning bytes of the buffer for "HTTP/" before calling strnstr. This makes sure that if a websocket frame without a handshake is sent it will disconnect immediately, and is safer before the existing handshake parser could accept other line-oriented protocols with different text before the first space.
It just occurred to me that this fix still us vulnerable to a server that sends "HTTP/\0".
Unfortunately, I haven't had time to create a test case, but I wanted to file this before going on vacation tomorrow.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list