[libsoup/websockets-fixes-2.66: 13/19] WebSockets: fix invalid read when sending large messages




commit ec2f57a5a0eabcb1dbfc17c44ec089b9e9a2214c
Author: Claudio Saavedra <csaavedra igalia com>
Date:   Fri Aug 23 18:58:49 2019 +0300

    WebSockets: fix invalid read when sending large messages
    
    We use GByteArray, which can be reallocated, so be careful when
    keeping track of the current position in a message not to use
    potentially dangling pointers.
    
    Fixes #160

 libsoup/soup-websocket-connection.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c
index 2963731a..1053d52e 100644
--- a/libsoup/soup-websocket-connection.c
+++ b/libsoup/soup-websocket-connection.c
@@ -432,7 +432,7 @@ send_message (SoupWebsocketConnection *self,
        gsize frame_len;
        guint8 *outer;
        guint8 *mask = 0;
-       guint8 *at;
+       guint at;
 
        if (!(soup_websocket_connection_get_state (self) == SOUP_WEBSOCKET_STATE_OPEN)) {
                g_debug ("Ignoring message since the connection is closed or is closing");
@@ -490,11 +490,11 @@ send_message (SoupWebsocketConnection *self,
                bytes->len += 4;
        }
 
-       at = bytes->data + bytes->len;
+       at = bytes->len;
        g_byte_array_append (bytes, data, length);
 
        if (self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_CLIENT)
-               xor_with_mask (mask, at, length);
+               xor_with_mask (mask, bytes->data + at, length);
 
        frame_len = bytes->len;
        queue_frame (self, flags, g_byte_array_free (bytes, FALSE),


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]