diff --git a/CHANGELOG.md b/CHANGELOG.md index bdf19151d..a7aec7be9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - api: fix infinite loop in function string_replace when the search string is empty - irc: limit size of data received from the server to prevent memory exhaustion - irc: fix out-of-bounds read on incoming DCC command with a quoted filename ending the message ([#2322](https://github.com/weechat/weechat/issues/2322)) +- relay: fix read of uncompressed websocket frame ([#2331](https://github.com/weechat/weechat/issues/2331)) - relay: limit size of received websocket frame and HTTP body to prevent memory exhaustion - relay: fix timing attack on password authentication ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525)) - api, relay: fix timing attack on TOTP validation ([GHSA-vhv8-g2r9-cwcc](https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc), [CVE-2026-53525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53525)) diff --git a/src/plugins/relay/relay-websocket.c b/src/plugins/relay/relay-websocket.c index 497e9922d..096eb317b 100644 --- a/src/plugins/relay/relay-websocket.c +++ b/src/plugins/relay/relay-websocket.c @@ -651,7 +651,7 @@ relay_websocket_decode_frame (const unsigned char *buffer, size_t size_decompressed; char *payload_decompressed; struct t_relay_websocket_frame *frames2, *ptr_frame; - int size, masked_frame, mask[4]; + int size, compressed, masked_frame, mask[4]; if (!buffer || !frames || !num_frames) return 0; @@ -672,6 +672,9 @@ relay_websocket_decode_frame (const unsigned char *buffer, opcode = buffer[index_buffer] & 15; + /* RSV1 indicates whether this message is compressed */ + compressed = (buffer[index_buffer] & 64) ? 1 : 0; + /* check if frame is masked */ masked_frame = (buffer[index_buffer + 1] & 128) ? 1 : 0; @@ -778,9 +781,9 @@ relay_websocket_decode_frame (const unsigned char *buffer, /* * decompress data if frame is not empty and if "permessage-deflate" - * is enabled + * is enabled and the message is compressed */ - if ((length_frame > 0) && ws_deflate && ws_deflate->enabled) + if ((length_frame > 0) && ws_deflate && ws_deflate->enabled && compressed) { if (!ws_deflate->strm_inflate) {