mirror of
https://github.com/signalwire/freeswitch.git
synced 2026-07-04 19:31:56 +00:00
Merge commit from fork
Unchecked `atoi()` on declared payload size let a client request up to `INT_MAX`, forcing the server to write ~20 GB per request via the download phase. Short `#` frames also triggered OOB reads on `s[1..3]`. - Gate `#` branch on `JPFLAG_AUTHED`. - Cap declared size at 10 MiB (`VERTO_SPEED_TEST_MAX_SIZE`). - Replace `atoi()` with bounded `strtol()`. - Require `bytes >= 4` before indexing `s[1..3]`.
This commit is contained in:
committed by
GitHub
parent
33ee3663bb
commit
67b62fb969
@@ -43,6 +43,7 @@ SWITCH_MODULE_DEFINITION(mod_verto, mod_verto_load, mod_verto_shutdown, mod_vert
|
|||||||
#define HTTP_CHUNK_SIZE 1024 * 32
|
#define HTTP_CHUNK_SIZE 1024 * 32
|
||||||
#define HTTP_POST_MAX_BODY (10 * 1024 * 1024) /* max accepted Content-Length for form-urlencoded POST */
|
#define HTTP_POST_MAX_BODY (10 * 1024 * 1024) /* max accepted Content-Length for form-urlencoded POST */
|
||||||
#define EP_NAME "verto.rtc"
|
#define EP_NAME "verto.rtc"
|
||||||
|
#define VERTO_SPEED_TEST_MAX_SIZE (10 * 1024 * 1024)
|
||||||
//#define WSS_STANDALONE 1
|
//#define WSS_STANDALONE 1
|
||||||
#include "libks/ks.h"
|
#include "libks/ks.h"
|
||||||
|
|
||||||
@@ -2112,16 +2113,26 @@ static void client_run(jsock_t *jsock)
|
|||||||
char repl[2048] = "";
|
char repl[2048] = "";
|
||||||
switch_time_t a, b;
|
switch_time_t a, b;
|
||||||
|
|
||||||
|
if (!switch_test_flag(jsock, JPFLAG_AUTHED)) {
|
||||||
|
die("%s Speed-test request before authentication\n", jsock->name);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (bytes < 4) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if (s[1] == 'S' && s[2] == 'P') {
|
if (s[1] == 'S' && s[2] == 'P') {
|
||||||
|
|
||||||
if (s[3] == 'U') {
|
if (s[3] == 'U') {
|
||||||
int i, size = 0;
|
int i;
|
||||||
|
long size;
|
||||||
char *p = s+4;
|
char *p = s+4;
|
||||||
int loops = 0;
|
int loops = 0;
|
||||||
int rem = 0;
|
int rem = 0;
|
||||||
int dur = 0, j = 0;
|
int dur = 0, j = 0;
|
||||||
|
|
||||||
if ((size = atoi(p)) <= 0) {
|
size = strtol(p, NULL, 10);
|
||||||
|
if (size <= 0 || size > VERTO_SPEED_TEST_MAX_SIZE) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2129,7 +2140,7 @@ static void client_run(jsock_t *jsock)
|
|||||||
do {
|
do {
|
||||||
bytes = kws_read_frame(jsock->ws, &oc, &data);
|
bytes = kws_read_frame(jsock->ws, &oc, &data);
|
||||||
s = (char *) data;
|
s = (char *) data;
|
||||||
} while (bytes && data && s[0] == '#' && s[3] == 'B');
|
} while (bytes >= 4 && data && s[0] == '#' && s[3] == 'B');
|
||||||
b = switch_time_now();
|
b = switch_time_now();
|
||||||
|
|
||||||
if (!bytes || !data) continue;
|
if (!bytes || !data) continue;
|
||||||
|
|||||||
Reference in New Issue
Block a user