core: add CVE id in ChangeLog

core: force version 18.04 of Ubuntu in CI
relay: fix crash when decoding a malformed websocket frame
2026-06-12 22:24:47 +02:00 · 2021-09-07 20:33:44 +02:00 · 2021-09-04 23:14:48 +02:00 · 2021-09-04 23:09:19 +02:00 · 2021-09-04 23:06:58 +02:00
4 changed files with 21 additions and 8 deletions
@@ -7,7 +7,7 @@ jobs:
  build:

    name: ${{ matrix.config.name }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-18.04
    strategy:
      fail-fast: false
      matrix:
@@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes]
 (file _ReleaseNotes.adoc_ in sources).


+[[v3.0.2]]
+== Version 3.0.2 (under dev)
+
+Bug fixes::
+
+  * relay: fix crash when decoding a malformed websocket frame (CVE-2021-40516)
+
 [[v3.0.1]]
 == Version 3.0.1 (2021-01-31)

@@ -278,7 +278,7 @@ relay_websocket_decode_frame (const unsigned char *buffer,
    index_buffer = 0;

    /* loop to decode all frames in message */
-    while (index_buffer + 2 <= buffer_length)
+    while (index_buffer + 1 < buffer_length)
    {
        opcode = buffer[index_buffer] & 15;

@@ -293,10 +293,12 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        length_frame_size = 1;
        length_frame = buffer[index_buffer + 1] & 127;
        index_buffer += 2;
+        if (index_buffer >= buffer_length)
+            return 0;
        if ((length_frame == 126) || (length_frame == 127))
        {
            length_frame_size = (length_frame == 126) ? 2 : 8;
-            if (buffer_length < 1 + length_frame_size)
+            if (index_buffer + length_frame_size > buffer_length)
                return 0;
            length_frame = 0;
            for (i = 0; i < length_frame_size; i++)
@@ -306,10 +308,9 @@ relay_websocket_decode_frame (const unsigned char *buffer,
            index_buffer += length_frame_size;
        }

-        if (buffer_length < 1 + length_frame_size + 4 + length_frame)
-            return 0;
-
        /* read masks (4 bytes) */
+        if (index_buffer + 4 > buffer_length)
+            return 0;
        int masks[4];
        for (i = 0; i < 4; i++)
        {
@@ -333,6 +334,11 @@ relay_websocket_decode_frame (const unsigned char *buffer,
        *decoded_length += 1;

        /* decode data using masks */
+        if ((length_frame > buffer_length)
+            || (index_buffer + length_frame > buffer_length))
+        {
+            return 0;
+        }
        for (i = 0; i < length_frame; i++)
        {
            decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];
@@ -33,8 +33,8 @@
 #

 WEECHAT_STABLE=3.0.1
-WEECHAT_DEVEL=3.0.1
-WEECHAT_DEVEL_FULL=3.0.1
+WEECHAT_DEVEL=3.0.2
+WEECHAT_DEVEL_FULL=3.0.2-dev

 if [ $# -lt 1 ]; then
    echo >&2 "Syntax: $0 stable|devel|devel-full|devel-major|devel-minor|devel-patch"
Author	SHA1	Message	Date
Sébastien Helleu	8b5da3c6cb	core: add CVE id in ChangeLog	2021-09-07 20:33:44 +02:00
Sébastien Helleu	e852cef92a	core: force version 18.04 of Ubuntu in CI	2021-09-04 23:14:48 +02:00
Sébastien Helleu	84e44632e5	relay: fix crash when decoding a malformed websocket frame	2021-09-04 23:09:19 +02:00
Sébastien Helleu	77bbd5f875	Version 3.0.2-dev	2021-09-04 23:06:58 +02:00