Module: sip-router Branch: master Commit: 6b8acf3204a8615762b0b5dcc6aac152f40b2ca0 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6b8acf3… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Tue Sep 30 11:29:18 2014 +0200 websocket: fix checking payload_len safety check for fragmentation - a crafted websocket frame using values spanning max unsinged int could have caused a failed detection of unsupported fragmentation and invalid memory access - thanks to Peter Dunkley and Hugh Waite for assisting and pin-pointing where everything happens --- modules/websocket/ws_frame.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/modules/websocket/ws_frame.c b/modules/websocket/ws_frame.c index d62a317..d3814bd 100644 --- a/modules/websocket/ws_frame.c +++ b/modules/websocket/ws_frame.c @@ -536,7 +536,8 @@ static int decode_and_validate_ws_frame(ws_frame_t *frame, frame->masking_key[3] = (buf[mask_start + 3] & 0xff); /* Decode and unmask payload */ - if (len != frame->payload_len + mask_start + 4) + if ((unsigned long long)len != (unsigned long long)frame->payload_len + + mask_start + 4) { LM_WARN("message not complete frame size %u but received %u\n", frame->payload_len + mask_start + 4, len);