Fix infinite loop

an-tao · an-tao · commit 42cc36623361 · 2025-05-24T23:28:39.000+08:00
diff --git a/lib/src/WebSocketConnectionImpl.cc b/lib/src/WebSocketConnectionImpl.cc
@@ -17,6 +17,7 @@
 #include <json/value.h>
 #include <json/writer.h>
 #include <thread>
+#include <limits>
 
 using namespace drogon;
 
@@ -327,8 +328,13 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)
         {
             indexFirstMask = 10;
         }
-        if (indexFirstMask > 2 && buffer->readableBytes() >= indexFirstMask)
+        if (indexFirstMask > 2)
         {
+            if (buffer->readableBytes() < indexFirstMask)
+            {
+                // Not enough data yet, wait for more.
+                return true;
+            }
             if (isControlFrame)
             {
                 // rfc6455-5.5
@@ -344,14 +350,17 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)
             }
             else if (indexFirstMask == 10)
             {
-                length = (unsigned char)(*buffer)[2];
-                length = (length << 8) + (unsigned char)(*buffer)[3];
-                length = (length << 8) + (unsigned char)(*buffer)[4];
-                length = (length << 8) + (unsigned char)(*buffer)[5];
-                length = (length << 8) + (unsigned char)(*buffer)[6];
-                length = (length << 8) + (unsigned char)(*buffer)[7];
-                length = (length << 8) + (unsigned char)(*buffer)[8];
-                length = (length << 8) + (unsigned char)(*buffer)[9];
+                length = 0;
+                for (int i = 2; i <= 9; ++i)
+                {
+                    if (length > ((std::numeric_limits<size_t>::max)() >> 8))
+                    {
+                        LOG_ERROR
+                            << "Payload length too large to handle safely";
+                        return false;
+                    }
+                    length = (length << 8) + (unsigned char)(*buffer)[i];
+                }
             }
             else
             {
@@ -387,6 +396,11 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)
                     return true;
                 }
             }
+            else
+            {
+                // Not enough data yet, wait for more.
+                return true;
+            }
         }
         else
         {
@@ -401,6 +415,11 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)
                     return true;
                 }
             }
+            else
+            {
+                // Not enough data yet, wait for more.
+                return true;
+            }
         }
     }
     return true;

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`#include <json/value.h>`
`18`	`18`	`#include <json/writer.h>`
`19`	`19`	`#include <thread>`
	`20`	`+#include <limits>`
`20`	`21`
`21`	`22`	`using namespace drogon;`
`22`	`23`
`@@ -327,8 +328,13 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)`
`327`	`328`	`{`
`328`	`329`	`indexFirstMask = 10;`
`329`	`330`	`}`
`330`		`- if (indexFirstMask > 2 && buffer->readableBytes() >= indexFirstMask)`
	`331`	`+ if (indexFirstMask > 2)`
`331`	`332`	`{`
	`333`	`+ if (buffer->readableBytes() < indexFirstMask)`
	`334`	`+ {`
	`335`	`+ // Not enough data yet, wait for more.`
	`336`	`+ return true;`
	`337`	`+ }`
`332`	`338`	`if (isControlFrame)`
`333`	`339`	`{`
`334`	`340`	`// rfc6455-5.5`
`@@ -344,14 +350,17 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)`
`344`	`350`	`}`
`345`	`351`	`else if (indexFirstMask == 10)`
`346`	`352`	`{`
`347`		`- length = (unsigned char)(*buffer)[2];`
`348`		`- length = (length << 8) + (unsigned char)(*buffer)[3];`
`349`		`- length = (length << 8) + (unsigned char)(*buffer)[4];`
`350`		`- length = (length << 8) + (unsigned char)(*buffer)[5];`
`351`		`- length = (length << 8) + (unsigned char)(*buffer)[6];`
`352`		`- length = (length << 8) + (unsigned char)(*buffer)[7];`
`353`		`- length = (length << 8) + (unsigned char)(*buffer)[8];`
`354`		`- length = (length << 8) + (unsigned char)(*buffer)[9];`
	`353`	`+ length = 0;`
	`354`	`+ for (int i = 2; i <= 9; ++i)`
	`355`	`+ {`
	`356`	`+ if (length > ((std::numeric_limits<size_t>::max)() >> 8))`
	`357`	`+ {`
	`358`	`+ LOG_ERROR`
	`359`	`+ << "Payload length too large to handle safely";`
	`360`	`+ return false;`
	`361`	`+ }`
	`362`	`+ length = (length << 8) + (unsigned char)(*buffer)[i];`
	`363`	`+ }`
`355`	`364`	`}`
`356`	`365`	`else`
`357`	`366`	`{`
`@@ -387,6 +396,11 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)`
`387`	`396`	`return true;`
`388`	`397`	`}`
`389`	`398`	`}`
	`399`	`+ else`
	`400`	`+ {`
	`401`	`+ // Not enough data yet, wait for more.`
	`402`	`+ return true;`
	`403`	`+ }`
`390`	`404`	`}`
`391`	`405`	`else`
`392`	`406`	`{`
`@@ -401,6 +415,11 @@ bool WebSocketMessageParser::parse(trantor::MsgBuffer *buffer)`
`401`	`415`	`return true;`
`402`	`416`	`}`
`403`	`417`	`}`
	`418`	`+ else`
	`419`	`+ {`
	`420`	`+ // Not enough data yet, wait for more.`
	`421`	`+ return true;`
	`422`	`+ }`
`404`	`423`	`}`
`405`	`424`	`}`
`406`	`425`	`return true;`