[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websock
From: |
Gerd Hoffmann |
Subject: |
Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websocket frames |
Date: |
Wed, 01 Apr 2015 15:36:55 +0200 |
Hi,
> > + if (input->offset < *payload_remain) {
> > + *payload_size = input->offset - (input->offset % 4);
> > + } else {
> > + *payload_size = input->offset;
>
> This can set *payload_size to a value larger than
> *payload_remain, if the input buffer happens to contain
> further data after the end of this packet...
>
> > + }
> > + if (*payload_size == 0) {
> > return 0;
> > }
> > -
> > - *payload = input->buffer + header_size;
> > + *payload_remain -= *payload_size;
>
> ...at which point this will end up making
> *payload_remain negative. Disconnection happens shortly
> afterwards.
>
> Should the line
> *payload_size = input->offset;
> actually read
> *payload_size = *payload_remain;
>
> ?
>
> Making that change appears to fix the novnc disconnects
> that Gerd reports.
Confirmed. Fixes the issues I've seen in testing and looks sensible to
me. Comment from Daniel would be nice, especially as I know next to
nothing about websockets, but he seems to be off into the easter
holidays already.
So, with -rc2 waiting for this (and being late already) I think I'll
squash in the incremental fix and prepare a pull request even without
Daniels ack ...
cheers,
Gerd
- Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websocket frames,
Gerd Hoffmann <=