Check for int overflow when parsing WS frames

PUBLISHED_FROM=b7325b38e881455df703b0b628c41931565ccb33
2024-11-28 13:49:01 +08:00 · 2017-09-06 18:25:27 +01:00 · 2017-09-06 18:25:27 +01:00 · c8af7cdd27
commit c8af7cdd27
parent f857f6394f
1 changed files with 7 additions and 1 deletions
--- a/mongoose.c
+++ b/mongoose.c
@ -9204,7 +9204,13 @@ static int mg_deliver_websocket_data(struct mg_connection *nc) {
  }

  frame_len = header_len + data_len;
-  ok = frame_len > 0 && frame_len <= buf_len;
+  ok = (frame_len > 0 && frame_len <= buf_len);
+
+  /* Check for overflow */
+  if (frame_len < header_len || frame_len < data_len) {
+    ok = 0;
+    nc->flags |= MG_F_CLOSE_IMMEDIATELY;
+  }

  if (ok) {
    struct websocket_message wsm;