kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 69df62f0ea490d6039a7ec00b9068a2b5628a4f9
parent 0c08b57d3e82c11dafbb4bdaf86629cc2709b027
Author: Joris Vink <joris@coders.se>
Date:   Mon,  1 Jul 2013 12:34:18 +0200

when receiving SETTINGS verify that the number of settings received by
the client matches the length of the SPDY frame we received.
Otherwise bad clients could potentially cause us to misbehave.

Diffstat:
src/spdy.c | 9++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/spdy.c b/src/spdy.c @@ -447,12 +447,19 @@ static int spdy_ctrl_frame_settings(struct netbuf *nb) { u_int8_t *buf, flags; - u_int32_t ecount, i, id, val; + u_int32_t ecount, i, id, val, length; struct connection *c = (struct connection *)nb->owner; ecount = net_read32(nb->buf + SPDY_FRAME_SIZE); kore_debug("SPDY_SETTINGS: %d settings present", ecount); + length = net_read32(nb->buf + 4) & 0xffffff; + if (length != ((ecount * 8) + 4)) { + kore_debug("ecount is not correct (%d != %d)", length, + (ecount * 8) + 4); + return (KORE_RESULT_ERROR); + } + buf = nb->buf + SPDY_FRAME_SIZE + 4; for (i = 0; i < ecount; i++) { flags = *(u_int8_t *)buf;