[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websock
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websocket frames |
Date: |
Tue, 31 Mar 2015 19:01:37 +0100 |
On 23 March 2015 at 22:58, Daniel P. Berrange <address@hidden> wrote:
> - if (*payload_size < 126) {
> - header_size = 6;
> - mask = header->u.m;
> - } else if (*payload_size == 126 && input->offset >= 8) {
> - *payload_size = be16_to_cpu(header->u.s16.l16);
> - header_size = 8;
> - mask = header->u.s16.m16;
> - } else if (*payload_size == 127 && input->offset >= 14) {
> - *payload_size = be64_to_cpu(header->u.s64.l64);
> - header_size = 14;
> - mask = header->u.s64.m64;
> + if (payload_len < 126) {
> + *payload_remain = payload_len;
> + *header_size = 6;
> + *payload_mask = header->u.m;
> + } else if (payload_len == 126 && input->offset >= 8) {
> + *payload_remain = be16_to_cpu(header->u.s16.l16);
> + *header_size = 8;
> + *payload_mask = header->u.s16.m16;
> + } else if (payload_len == 127 && input->offset >= 14) {
> + *payload_remain = be64_to_cpu(header->u.s64.l64);
> + *header_size = 14;
> + *payload_mask = header->u.s64.m64;
We were already doing this before, but if this is a 32 bit
machine then the assignment to *payload_remain in this
case is going to be assigning a 64-bit value from the datastream
to a 32-bit size_t, which doesn't seem like a great idea
to just silently do, though I suppose the datastream is in
complete control of that value anyway.
-- PMM