]> git.ipfire.org Git - thirdparty/asterisk.git/commit
projects / thirdparty / asterisk.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 04ae014) | patch
chan_websocket: Fix buffer overrun when processing TEXT websocket frames.
authorGeorge Joseph <gjoseph@sangoma.com>
Tue, 19 Aug 2025 15:46:39 +0000 (09:46 -0600)
committergithub-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Wed, 20 Aug 2025 14:42:21 +0000 (14:42 +0000)
commitc1065d344445037843957bff51b72fed77d0aca7
tree1d90f6fcb4d995707b24b802afe6e63454987611tree | snapshot
parent04ae0141b75fa74d9661e8a2a2a957e8159316eecommit | diff
chan_websocket: Fix buffer overrun when processing TEXT websocket frames.

ast_websocket_read() receives data into a fixed 64K buffer then continually
reallocates a final buffer that, after all continuation frames have been
received, is the exact length of the data received and returns that to the
caller.  process_text_message() in chan_websocket was attempting to set a
NULL terminator on the received payload assuming the payload buffer it
received was the large 64K buffer.  The assumption was incorrect so when it
tried to set a NULL terminator on the payload, it could, depending on the
state of the heap at the time, cause heap corruption.

process_text_message() now allocates its own payload_len + 1 sized buffer,
copies the payload received from ast_websocket_read() into it then NULL
terminates it prevent the possibility of the overrun and corruption.

Resolves: #1384
channels/chan_websocket.c diff | blob | blame | history
Mirror of https://github.com/asterisk/asterisk.git