capture: properly validate WS packet payload size #438

2023-06-09 14:29:29 +02:00 · 2023-06-09 14:29:29 +02:00 · ad1daf15c8
parent a7b8436818
commit ad1daf15c8
1 changed files with 11 additions and 2 deletions
--- a/src/capture.c
+++ b/src/capture.c
@ -901,8 +901,8 @@ capture_ws_check_packet(packet_t *packet)
    size_payload = packet_payloadlen(packet);
    payload = packet_payload(packet);

-    // Check we have payload
-    if (size_payload == 0)
+    // Check we have enough payload (base)
+    if (size_payload == 0 || size_payload <= 2)
        return 0;

    // Flags && Opcode
@ -931,8 +931,17 @@ capture_ws_check_packet(packet_t *packet)
            return 0;
    }

+    // Check we have enough payload (base + extended payload headers)
+    if ((int32_t) size_payload - ws_off <= 0) {
+        return 0;
+    }
+
    // Get Masking key if mask is enabled
    if (ws_mask) {
+        // Check we have enough payload (base + extended payload headers + mask)
+        if ((int32_t) size_payload - ws_off - 4 <= 0) {
+            return 0;
+        }
        memcpy(ws_mask_key, (payload + ws_off), 4);
        ws_off += 4;
    }