mirror of
https://github.com/weechat/weechat.git
synced 2026-07-08 10:43:13 +02:00
relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion
A relay client could announce a huge websocket frame (or HTTP body via "Content-Length") and dribble its payload, making WeeChat accumulate it in a buffer that grew without limit, until all memory was exhausted. The websocket frame path is reachable before authentication with the "weechat" and "irc" protocols. The announced websocket frame length and HTTP "Content-Length" are now bounded by WEBSOCKET_FRAME_MAX_LENGTH and RELAY_HTTP_BODY_MAX_LENGTH: an oversized websocket frame closes the connection, and an oversized body is rejected.
This commit is contained in:
@@ -159,6 +159,35 @@ TEST(RelayHttp, RequestAllocReinitFree)
|
||||
relay_http_request_free (request);
|
||||
}
|
||||
|
||||
/*
|
||||
* Tests functions:
|
||||
* relay_http_add_to_body (body too large is rejected)
|
||||
*/
|
||||
|
||||
TEST(RelayHttp, AddToBodyLimit)
|
||||
{
|
||||
struct t_relay_http_request *request;
|
||||
char *partial;
|
||||
|
||||
request = relay_http_request_alloc ();
|
||||
CHECK(request);
|
||||
|
||||
/* announce a body larger than the maximum allowed */
|
||||
request->status = RELAY_HTTP_BODY;
|
||||
request->content_length = RELAY_HTTP_BODY_MAX_LENGTH + 1;
|
||||
partial = strdup ("some body data");
|
||||
|
||||
relay_http_add_to_body (request, &partial);
|
||||
|
||||
/* the body must be rejected: nothing allocated, request ended */
|
||||
POINTERS_EQUAL(NULL, request->body);
|
||||
LONGS_EQUAL(0, request->body_size);
|
||||
POINTERS_EQUAL(NULL, partial);
|
||||
LONGS_EQUAL(RELAY_HTTP_END, request->status);
|
||||
|
||||
relay_http_request_free (request);
|
||||
}
|
||||
|
||||
/*
|
||||
* Tests functions:
|
||||
* relay_http_url_decode
|
||||
|
||||
Reference in New Issue
Block a user