From 9e72c8477fbc1e7ff0f7700aa259b1e6c9938057 Mon Sep 17 00:00:00 2001 From: Anthony Minessale Date: Wed, 24 Sep 2014 01:09:44 +0500 Subject: [PATCH] fix possible buffer overrun in websocket uri and sync the ws.c between sofia and verto (missing code from last commit) --- libs/sofia-sip/.update | 2 +- libs/sofia-sip/libsofia-sip-ua/tport/ws.c | 14 ++++++++++---- libs/sofia-sip/libsofia-sip-ua/tport/ws.h | 1 + src/mod/endpoints/mod_verto/ws.c | 14 ++++++++++---- src/mod/endpoints/mod_verto/ws.h | 1 + 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update index d87400bf8e..cb2691c2a1 100644 --- a/libs/sofia-sip/.update +++ b/libs/sofia-sip/.update @@ -1 +1 @@ -Tue Sep 23 20:16:55 CDT 2014 +Wed Sep 24 01:09:42 CDT 2014 diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/ws.c b/libs/sofia-sip/libsofia-sip-ua/tport/ws.c index 6e91ff6493..2fcd7021c0 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/ws.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/ws.c @@ -241,7 +241,6 @@ int ws_handshake(wsh_t *wsh) char version[5] = ""; char proto[256] = ""; char proto_buf[384] = ""; - char uri[256] = ""; char input[256] = ""; unsigned char output[SHA1_HASH_SIZE] = ""; char b64[256] = ""; @@ -276,9 +275,11 @@ int ws_handshake(wsh_t *wsh) if (!e) { goto err; } - - strncpy(uri, p, e-p); - + + wsh->uri = malloc((e-p) + 1); + strncpy(wsh->uri, p, e-p); + *(wsh->uri + (e-p)) = '\0'; + cheezy_get_var(wsh->buffer, "Sec-WebSocket-Key", key, sizeof(key)); cheezy_get_var(wsh->buffer, "Sec-WebSocket-Version", version, sizeof(version)); cheezy_get_var(wsh->buffer, "Sec-WebSocket-Protocol", proto, sizeof(proto)); @@ -615,6 +616,11 @@ ssize_t ws_close(wsh_t *wsh, int16_t reason) wsh->down = 1; + if (wsh->uri) { + free(wsh->uri); + wsh->uri = NULL; + } + if (reason && wsh->sock != ws_sock_invalid) { uint16_t *u16; uint8_t fr[4] = {WSOC_CLOSE | 0x80, 2, 0}; diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/ws.h b/libs/sofia-sip/libsofia-sip-ua/tport/ws.h index 37a3b9e401..7f5f5c48b4 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/ws.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/ws.h @@ -72,6 +72,7 @@ typedef struct wsh_s { ws_socket_t sock; char buffer[65536]; char wbuffer[65536]; + char *uri; size_t buflen; ssize_t datalen; ssize_t wdatalen; diff --git a/src/mod/endpoints/mod_verto/ws.c b/src/mod/endpoints/mod_verto/ws.c index 6e91ff6493..2fcd7021c0 100644 --- a/src/mod/endpoints/mod_verto/ws.c +++ b/src/mod/endpoints/mod_verto/ws.c @@ -241,7 +241,6 @@ int ws_handshake(wsh_t *wsh) char version[5] = ""; char proto[256] = ""; char proto_buf[384] = ""; - char uri[256] = ""; char input[256] = ""; unsigned char output[SHA1_HASH_SIZE] = ""; char b64[256] = ""; @@ -276,9 +275,11 @@ int ws_handshake(wsh_t *wsh) if (!e) { goto err; } - - strncpy(uri, p, e-p); - + + wsh->uri = malloc((e-p) + 1); + strncpy(wsh->uri, p, e-p); + *(wsh->uri + (e-p)) = '\0'; + cheezy_get_var(wsh->buffer, "Sec-WebSocket-Key", key, sizeof(key)); cheezy_get_var(wsh->buffer, "Sec-WebSocket-Version", version, sizeof(version)); cheezy_get_var(wsh->buffer, "Sec-WebSocket-Protocol", proto, sizeof(proto)); @@ -615,6 +616,11 @@ ssize_t ws_close(wsh_t *wsh, int16_t reason) wsh->down = 1; + if (wsh->uri) { + free(wsh->uri); + wsh->uri = NULL; + } + if (reason && wsh->sock != ws_sock_invalid) { uint16_t *u16; uint8_t fr[4] = {WSOC_CLOSE | 0x80, 2, 0}; diff --git a/src/mod/endpoints/mod_verto/ws.h b/src/mod/endpoints/mod_verto/ws.h index 37a3b9e401..7f5f5c48b4 100644 --- a/src/mod/endpoints/mod_verto/ws.h +++ b/src/mod/endpoints/mod_verto/ws.h @@ -72,6 +72,7 @@ typedef struct wsh_s { ws_socket_t sock; char buffer[65536]; char wbuffer[65536]; + char *uri; size_t buflen; ssize_t datalen; ssize_t wdatalen;