Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode websocket frames

[Peter Maydell]

On 23 March 2015 at 22:58, Daniel P. Berrange <berra...@redhat.com> wrote:
> -    if (*payload_size < 126) {
> -        header_size = 6;
> -        mask = header->u.m;
> -    } else if (*payload_size == 126 && input->offset >= 8) {
> -        *payload_size = be16_to_cpu(header->u.s16.l16);
> -        header_size = 8;
> -        mask = header->u.s16.m16;
> -    } else if (*payload_size == 127 && input->offset >= 14) {
> -        *payload_size = be64_to_cpu(header->u.s64.l64);
> -        header_size = 14;
> -        mask = header->u.s64.m64;
> +    if (payload_len < 126) {
> +        *payload_remain = payload_len;
> +        *header_size = 6;
> +        *payload_mask = header->u.m;
> +    } else if (payload_len == 126 && input->offset >= 8) {
> +        *payload_remain = be16_to_cpu(header->u.s16.l16);
> +        *header_size = 8;
> +        *payload_mask = header->u.s16.m16;
> +    } else if (payload_len == 127 && input->offset >= 14) {
> +        *payload_remain = be64_to_cpu(header->u.s64.l64);
> +        *header_size = 14;
> +        *payload_mask = header->u.s64.m64;

We were already doing this before, but if this is a 32 bit
machine then the assignment to *payload_remain in this
case is going to be assigning a 64-bit value from the datastream
to a 32-bit size_t, which doesn't seem like a great idea
to just silently do, though I suppose the datastream is in
complete control of that value anyway.

-- PMM