From 192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9 Mon Sep 17 00:00:00 2001 From: Gernot Tenchio Date: Tue, 19 Apr 2016 16:24:54 +0200 Subject: [PATCH] C websockify: free memory after failed handshake Conflicts: other/websocket.c --- other/websocket.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/other/websocket.c b/other/websocket.c index 9755711..81a223f 100644 --- a/other/websocket.c +++ b/other/websocket.c @@ -612,15 +612,28 @@ ws_ctx_t *do_handshake(int sock) { } offset = 0; for (i = 0; i < 10; i++) { - len = ws_recv(ws_ctx, handshake+offset, 4096); - if (len == 0) { + /* (offset + 1): reserve one byte for the trailing '\0' */ + if (0 > (len = ws_recv(ws_ctx, handshake + offset, sizeof(handshake) - (offset + 1)))) { + handler_emsg("Read error during handshake: %m\n"); + free_ws_ctx(ws_ctx); + return NULL; + } else if (0 == len) { handler_emsg("Client closed during handshake\n"); + free_ws_ctx(ws_ctx); return NULL; } offset += len; handshake[offset] = 0; if (strstr(handshake, "\r\n\r\n")) { break; + } else if (sizeof(handshake) <= (size_t)(offset + 1)) { + handler_emsg("Oversized handshake\n"); + free_ws_ctx(ws_ctx); + return NULL; + } else if (9 == i) { + handler_emsg("Incomplete handshake\n"); + free_ws_ctx(ws_ctx); + return NULL; } usleep(10); } @@ -628,6 +641,7 @@ ws_ctx_t *do_handshake(int sock) { //handler_msg("handshake: %s\n", handshake); if (!parse_handshake(ws_ctx, handshake)) { handler_emsg("Invalid WS request\n"); + free_ws_ctx(ws_ctx); return NULL; }