From 64732c300230386ed04acc29fd8795bcf781ca41 Mon Sep 17 00:00:00 2001 From: Alexey Galakhov Date: Mon, 2 Jul 2018 16:00:23 +0200 Subject: [PATCH] frame: fix integer overflow This is a security fix. Fixes #33. Signed-off-by: Alexey Galakhov --- src/protocol/frame/frame.rs | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/protocol/frame/frame.rs b/src/protocol/frame/frame.rs index 352efab..1dc19be 100644 --- a/src/protocol/frame/frame.rs +++ b/src/protocol/frame/frame.rs @@ -344,7 +344,7 @@ impl Frame { None }; - if size < length + header_length { + if size < header_length || size - header_length < length { cursor.set_position(initial); return Ok(None) } @@ -511,6 +511,16 @@ mod tests { fn display() { let f = Frame::message("hi there".into(), OpCode::Data(Data::Text), true); let view = format!("{}", f); - view.contains("payload:"); + assert!(view.contains("payload:")); + } + + #[test] + fn parse_overflow() { + let mut raw: Cursor> = Cursor::new(vec![ + 0x83, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + ]); + let frame_none = Frame::parse(&mut raw).unwrap(); + assert!(frame_none.is_none()); } }