Commit 72b88e89 authored by Claudio Saavedra's avatar Claudio Saavedra Committed by Carlos Garcia Campos

WebSockets: fix read after free in send_message()

g_byte_array_append() can reallocate its data, so make sure that we
don't rely on any pointer pointing to it after calling it.
parent 539909ed
Pipeline #110511 passed with stage
in 1 minute and 3 seconds
......@@ -153,6 +153,7 @@ struct _SoupWebsocketConnectionPrivate {
#define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024
#define READ_BUFFER_SIZE 1024
#define MASK_LENGTH 4
G_DEFINE_TYPE_WITH_PRIVATE (SoupWebsocketConnection, soup_websocket_connection, G_TYPE_OBJECT)
......@@ -470,8 +471,7 @@ send_message (SoupWebsocketConnection *self,
GByteArray *bytes;
gsize frame_len;
guint8 *outer;
guint8 *mask = 0;
guint at;
guint8 mask_offset;
GBytes *filtered_bytes;
GList *l;
GError *error = NULL;
......@@ -543,16 +543,15 @@ send_message (SoupWebsocketConnection *self,
if (self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_CLIENT) {
guint32 rnd = g_random_int ();
outer[1] |= 0x80;
mask = outer + bytes->len;
memcpy (mask, &rnd, sizeof (rnd));
bytes->len += 4;
mask_offset = bytes->len;
memcpy (outer + mask_offset, &rnd, sizeof (rnd));
bytes->len += MASK_LENGTH;
}
at = bytes->len;
g_byte_array_append (bytes, data, length);
if (self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_CLIENT)
xor_with_mask (mask, bytes->data + at, length);
xor_with_mask (bytes->data + mask_offset, bytes->data + mask_offset + MASK_LENGTH, length);
frame_len = bytes->len;
queue_frame (self, flags, g_byte_array_free (bytes, FALSE),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment