fix possible buffer overrun in websocket uri and sync the ws.c between sofia and...

diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update
index d87400bf8ecd8f1edf3344aad63024d4df3b78f8..cb2691c2a158a24bb360ff770e9f8bf8ecb3a615 100644 (file)
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@@ -1 +1 @@
-Tue Sep 23 20:16:55 CDT 2014
+Wed Sep 24 01:09:42 CDT 2014

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/ws.c b/libs/sofia-sip/libsofia-sip-ua/tport/ws.c
index 6e91ff6493756ed091bd022cb99c33d15fe2c9c3..2fcd7021c089ddbaaf31caa6e05e2fefb74aff68 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/ws.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/ws.c
@@ -241,7 +241,6 @@ int ws_handshake(wsh_t *wsh)
        char version[5] = "";
        char proto[256] = "";
        char proto_buf[384] = "";
-       char uri[256] = "";
        char input[256] = "";
        unsigned char output[SHA1_HASH_SIZE] = "";
        char b64[256] = "";
@@ -276,9 +275,11 @@ int ws_handshake(wsh_t *wsh)
        if (!e) {
                goto err;
        }
-       
-       strncpy(uri, p, e-p);
-       
+
+       wsh->uri = malloc((e-p) + 1);
+       strncpy(wsh->uri, p, e-p);
+       *(wsh->uri + (e-p)) = '\0';
+
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Key", key, sizeof(key));
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Version", version, sizeof(version));
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Protocol", proto, sizeof(proto));
@@ -615,6 +616,11 @@ ssize_t ws_close(wsh_t *wsh, int16_t reason)
 
        wsh->down = 1;
        
+       if (wsh->uri) {
+               free(wsh->uri);
+               wsh->uri = NULL;
+       }
+
        if (reason && wsh->sock != ws_sock_invalid) {
                uint16_t *u16;
                uint8_t fr[4] = {WSOC_CLOSE | 0x80, 2, 0};

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/ws.h b/libs/sofia-sip/libsofia-sip-ua/tport/ws.h
index 37a3b9e4013fcfbafcb0d43dbc8dd25843832e41..7f5f5c48b4a14875a541493b5d0907e89fd33688 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/ws.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/ws.h
@@ -72,6 +72,7 @@ typedef struct wsh_s {
        ws_socket_t sock;
        char buffer[65536];
        char wbuffer[65536];
+       char *uri;
        size_t buflen;
        ssize_t datalen;
        ssize_t wdatalen;

diff --git a/src/mod/endpoints/mod_verto/ws.c b/src/mod/endpoints/mod_verto/ws.c
index 6e91ff6493756ed091bd022cb99c33d15fe2c9c3..2fcd7021c089ddbaaf31caa6e05e2fefb74aff68 100644 (file)
--- a/src/mod/endpoints/mod_verto/ws.c
+++ b/src/mod/endpoints/mod_verto/ws.c
@@ -241,7 +241,6 @@ int ws_handshake(wsh_t *wsh)
        char version[5] = "";
        char proto[256] = "";
        char proto_buf[384] = "";
-       char uri[256] = "";
        char input[256] = "";
        unsigned char output[SHA1_HASH_SIZE] = "";
        char b64[256] = "";
@@ -276,9 +275,11 @@ int ws_handshake(wsh_t *wsh)
        if (!e) {
                goto err;
        }
-       
-       strncpy(uri, p, e-p);
-       
+
+       wsh->uri = malloc((e-p) + 1);
+       strncpy(wsh->uri, p, e-p);
+       *(wsh->uri + (e-p)) = '\0';
+
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Key", key, sizeof(key));
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Version", version, sizeof(version));
        cheezy_get_var(wsh->buffer, "Sec-WebSocket-Protocol", proto, sizeof(proto));
@@ -615,6 +616,11 @@ ssize_t ws_close(wsh_t *wsh, int16_t reason)
 
        wsh->down = 1;
        
+       if (wsh->uri) {
+               free(wsh->uri);
+               wsh->uri = NULL;
+       }
+
        if (reason && wsh->sock != ws_sock_invalid) {
                uint16_t *u16;
                uint8_t fr[4] = {WSOC_CLOSE | 0x80, 2, 0};

diff --git a/src/mod/endpoints/mod_verto/ws.h b/src/mod/endpoints/mod_verto/ws.h
index 37a3b9e4013fcfbafcb0d43dbc8dd25843832e41..7f5f5c48b4a14875a541493b5d0907e89fd33688 100644 (file)
--- a/src/mod/endpoints/mod_verto/ws.h
+++ b/src/mod/endpoints/mod_verto/ws.h
@@ -72,6 +72,7 @@ typedef struct wsh_s {
        ws_socket_t sock;
        char buffer[65536];
        char wbuffer[65536];
+       char *uri;
        size_t buflen;
        ssize_t datalen;
        ssize_t wdatalen;