when receiving SETTINGS verify that the number of settings received by the client matches the length of the SPDY frame we received. Otherwise bad clients could potentially cause us to misbehave. - kore - Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.

commit 69df62f0ea490d6039a7ec00b9068a2b5628a4f9
parent 0c08b57d3e82c11dafbb4bdaf86629cc2709b027
Author: Joris Vink <joris@coders.se>
Date:   Mon,  1 Jul 2013 12:34:18 +0200

when receiving SETTINGS verify that the number of settings received by
the client matches the length of the SPDY frame we received.
Otherwise bad clients could potentially cause us to misbehave.

Diffstat:
src/spdy.c  | 9 ++++++++-

1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/spdy.c b/src/spdy.c
@@ -447,12 +447,19 @@ static int
 spdy_ctrl_frame_settings(struct netbuf *nb)
 {
 	u_int8_t		*buf, flags;
-	u_int32_t		ecount, i, id, val;
+	u_int32_t		ecount, i, id, val, length;
 	struct connection	*c = (struct connection *)nb->owner;
 
 	ecount = net_read32(nb->buf + SPDY_FRAME_SIZE);
 	kore_debug("SPDY_SETTINGS: %d settings present", ecount);
 
+	length = net_read32(nb->buf + 4) & 0xffffff;
+	if (length != ((ecount * 8) + 4)) {
+		kore_debug("ecount is not correct (%d != %d)", length,
+		    (ecount * 8) + 4);
+		return (KORE_RESULT_ERROR);
+	}
+
 	buf = nb->buf + SPDY_FRAME_SIZE + 4;
 	for (i = 0; i < ecount; i++) {
 		flags = *(u_int8_t *)buf;

	kore Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
	Commits \| Files \| Refs \| README \| LICENSE \| git clone https://git.kore.io/kore.git