diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 9b5d42476..511b20f87 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes] (file _ReleaseNotes.adoc_ in sources). +[[v3.2.1]] +== Version 3.2.1 (under dev) + +Bug fixes:: + + * relay: fix crash when decoding a malformed websocket frame + [[v3.2]] == Version 3.2 (2021-06-13) diff --git a/src/plugins/relay/relay-websocket.c b/src/plugins/relay/relay-websocket.c index c5a7df324..7cbbaa308 100644 --- a/src/plugins/relay/relay-websocket.c +++ b/src/plugins/relay/relay-websocket.c @@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer, index_buffer = 0; /* loop to decode all frames in message */ - while (index_buffer + 2 <= buffer_length) + while (index_buffer + 1 < buffer_length) { opcode = buffer[index_buffer] & 15; @@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer, length_frame_size = 1; length_frame = buffer[index_buffer + 1] & 127; index_buffer += 2; + if (index_buffer >= buffer_length) + return 0; if ((length_frame == 126) || (length_frame == 127)) { length_frame_size = (length_frame == 126) ? 2 : 8; - if (buffer_length < 1 + length_frame_size) + if (index_buffer + length_frame_size > buffer_length) return 0; length_frame = 0; for (i = 0; i < length_frame_size; i++) @@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer, index_buffer += length_frame_size; } - if (buffer_length < 1 + length_frame_size + 4 + length_frame) - return 0; - /* read masks (4 bytes) */ + if (index_buffer + 4 > buffer_length) + return 0; int masks[4]; for (i = 0; i < 4; i++) { @@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer, *decoded_length += 1; /* decode data using masks */ + if ((length_frame > buffer_length) + || (index_buffer + length_frame > buffer_length)) + { + return 0; + } for (i = 0; i < length_frame; i++) { decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4]; diff --git a/version.sh b/version.sh index e5a7b9959..6c88cdc74 100755 --- a/version.sh +++ b/version.sh @@ -33,8 +33,8 @@ # WEECHAT_STABLE=3.2 -WEECHAT_DEVEL=3.2 -WEECHAT_DEVEL_FULL=3.2 +WEECHAT_DEVEL=3.2.1 +WEECHAT_DEVEL_FULL=3.2.1-dev if [ $# -lt 1 ]; then echo >&2 "Syntax: $0 stable|devel|devel-full|devel-major|devel-minor|devel-patch"