websockets: check for negative payload lengths

icing · bagder · commit 49ca84144edf · 2024-01-16T14:56:15.000+01:00
- in en- and decoding, check the websocket frame payload lengths for negative values (from curl_off_t) and error the operation in that case - add test 2307 to verify Closes #12707
diff --git a/lib/ws.c b/lib/ws.c
@@ -225,6 +225,10 @@ static CURLcode ws_dec_read_head(struct ws_decoder *dec,
       dec->payload_len = (dec->head[2] << 8) | dec->head[3];
       break;
     case 10:
+      if(dec->head[2] > 127) {
+        failf(data, "WS: frame length longer than 64 signed not supported");
+        return CURLE_RECV_ERROR;
+      }
       dec->payload_len = ((curl_off_t)dec->head[2] << 56) |
         (curl_off_t)dec->head[3] << 48 |
         (curl_off_t)dec->head[4] << 40 |
@@ -410,6 +414,13 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data,
   size_t hlen;
   ssize_t n;
 
+  if(payload_len < 0) {
+    failf(data, "WS: starting new frame with negative payload length %"
+                CURL_FORMAT_CURL_OFF_T, payload_len);
+    *err = CURLE_SEND_ERROR;
+    return -1;
+  }
+
   if(enc->payload_remain > 0) {
     /* trying to write a new frame before the previous one is finished */
     failf(data, "WS: starting new frame with %zd bytes from last one"
diff --git a/tests/data/DISABLED b/tests/data/DISABLED
@@ -81,6 +81,8 @@
 2301
 2302
 2305
+# response body seem not to be handled by hyper
+2307
 %endif
 2043
 # The CRL test (313) doesn't work with rustls because rustls doesn't support
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
@@ -244,7 +244,7 @@ test2100 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 \
 \
-test2300 test2301 test2302 test2303 test2304 test2305 test2306 \
+test2300 test2301 test2302 test2303 test2304 test2305 test2306 test2307 \
 \
 test2400 test2401 test2402 test2403 test2404 \
 \
diff --git a/tests/data/test2307 b/tests/data/test2307
@@ -0,0 +1,71 @@
+<testcase>
+<info>
+<keywords>
+WebSockets
+</keywords>
+</info>
+
+#
+# Sends a PING with overlong payload
+<reply>
+<data nocheck="yes" nonewline="yes">
+HTTP/1.1 101 Switching to WebSockets
+Server: test-server/fake
+Upgrade: websocket
+Connection: Upgrade
+Something: else
+Sec-WebSocket-Accept: HkPsVga7+8LuxM4RGQ5p9tZHeYs=
+
+%hex[%19%7f%ff%30%30%30%30%30%30%30%30%30%30%30%30]hex%
+</data>
+# allow upgrade
+<servercmd>
+upgrade
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+# require debug for the forced CURL_ENTROPY
+<features>
+debug
+ws
+!hyper
+</features>
+<server>
+http
+</server>
+<name>
+WebSockets, overlong PING payload
+</name>
+<tool>
+lib2302
+</tool>
+<command>
+ws://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# PONG with no data and the 32 bit mask
+#
+<verify>
+<protocol nocheck="yes" nonewline="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: webbie-sox/3
+Accept: */*
+Upgrade: websocket
+Connection: Upgrade
+Sec-WebSocket-Version: 13
+Sec-WebSocket-Key: NDMyMTUzMjE2MzIxNzMyMQ==
+
+
+</protocol>
+# 23 == CURLE_WRITE_ERROR
+<errorcode>
+23
+</errorcode>
+</verify>
+</testcase>

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,8 @@`
`81`	`81`	`2301`
`82`	`82`	`2302`
`83`	`83`	`2305`
	`84`	`+# response body seem not to be handled by hyper`
	`85`	`+2307`
`84`	`86`	`%endif`
`85`	`87`	`2043`
`86`	`88`	`# The CRL test (313) doesn't work with rustls because rustls doesn't support`
Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,7 @@ test2100 \`
`244`	`244`	`\`
`245`	`245`	`test2200 test2201 test2202 test2203 test2204 test2205 \`
`246`	`246`	`\`
`247`		`-test2300 test2301 test2302 test2303 test2304 test2305 test2306 \`
	`247`	`+test2300 test2301 test2302 test2303 test2304 test2305 test2306 test2307 \`
`248`	`248`	`\`
`249`	`249`	`test2400 test2401 test2402 test2403 test2404 \`
`250`	`250`	`\`