(file _ReleaseNotes.adoc_ in sources).
+[[v3.2.1]]
+== Version 3.2.1 (under dev)
+
+Bug fixes::
+
+ * relay: fix crash when decoding a malformed websocket frame
+
[[v3.2]]
== Version 3.2 (2021-06-13)
index_buffer = 0;
/* loop to decode all frames in message */
- while (index_buffer + 2 <= buffer_length)
+ while (index_buffer + 1 < buffer_length)
{
opcode = buffer[index_buffer] & 15;
length_frame_size = 1;
length_frame = buffer[index_buffer + 1] & 127;
index_buffer += 2;
+ if (index_buffer >= buffer_length)
+ return 0;
if ((length_frame == 126) || (length_frame == 127))
{
length_frame_size = (length_frame == 126) ? 2 : 8;
- if (buffer_length < 1 + length_frame_size)
+ if (index_buffer + length_frame_size > buffer_length)
return 0;
length_frame = 0;
for (i = 0; i < length_frame_size; i++)
index_buffer += length_frame_size;
}
- if (buffer_length < 1 + length_frame_size + 4 + length_frame)
- return 0;
-
/* read masks (4 bytes) */
+ if (index_buffer + 4 > buffer_length)
+ return 0;
int masks[4];
for (i = 0; i < 4; i++)
{
*decoded_length += 1;
/* decode data using masks */
+ if ((length_frame > buffer_length)
+ || (index_buffer + length_frame > buffer_length))
+ {
+ return 0;
+ }
for (i = 0; i < length_frame; i++)
{
decoded[*decoded_length + i] = (int)((unsigned char)buffer[index_buffer + i]) ^ masks[i % 4];