From c0cde68999bc6c0f979876145952d23d83cbdd19 Mon Sep 17 00:00:00 2001
From: Alexey Galakhov <agalakhov@snapview.de>
Date: Mon, 2 Jul 2018 16:00:23 +0200
Subject: [PATCH] frame: fix integer overflow

This is a security fix.
Fixes #33.

Signed-off-by: Alexey Galakhov <agalakhov@snapview.de>
---
 src/protocol/frame/frame.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/protocol/frame/frame.rs b/src/protocol/frame/frame.rs
index 352efab..1dc19be 100644
--- a/src/protocol/frame/frame.rs
+++ b/src/protocol/frame/frame.rs
@@ -344,7 +344,7 @@ impl Frame {
             None
         };
 
-        if size < length + header_length {
+        if size < header_length || size - header_length < length {
             cursor.set_position(initial);
             return Ok(None)
         }
@@ -511,6 +511,16 @@ mod tests {
     fn display() {
         let f = Frame::message("hi there".into(), OpCode::Data(Data::Text), true);
         let view = format!("{}", f);
-        view.contains("payload:");
+        assert!(view.contains("payload:"));
+    }
+
+    #[test]
+    fn parse_overflow() {
+        let mut raw: Cursor<Vec<u8>> = Cursor::new(vec![
+            0x83, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+            0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
+        ]);
+        let frame_none = Frame::parse(&mut raw).unwrap();
+        assert!(frame_none.is_none());
     }
 }