From 6328231f2aa628632344d96a58e25c3b194af506 Mon Sep 17 00:00:00 2001 From: Lucas Date: Tue, 5 Nov 2024 02:59:58 +0000 Subject: [PATCH 01/13] mbedtls: fix issue about memory leak https://github.com/warmcat/libwebsockets/issues/3177 --- lib/plat/unix/unix-init.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/plat/unix/unix-init.c b/lib/plat/unix/unix-init.c index 6d3156c08..4426e5dc3 100644 --- a/lib/plat/unix/unix-init.c +++ b/lib/plat/unix/unix-init.c @@ -262,4 +262,9 @@ lws_plat_context_late_destroy(struct lws_context *context) lwsl_err("ZERO RANDOM FD\n"); if (context->fd_random != LWS_INVALID_FILE) close(context->fd_random); + +#if defined(LWS_WITH_MBEDTLS) + mbedtls_entropy_free(&context->mec); + mbedtls_ctr_drbg_free(&context->mcdc); +#endif } From d568eccd4c4857109c5e34163b413e7dfe1451a0 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Fri, 13 Dec 2024 09:18:16 +0000 Subject: [PATCH 02/13] spa: use sized local info rather than incoming We allow a default 0 length in the incoming const info to mean a default size (of 512). We implement it by copying the incoming const info to a copy in the spa that we can adapt, which is all good. But in two cases after we dumbly use the incoming const info directly instead of the adapted copy. https://github.com/warmcat/libwebsockets/issues/3294 --- lib/roles/http/server/lws-spa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/roles/http/server/lws-spa.c b/lib/roles/http/server/lws-spa.c index f24f417af..6d13b1f0b 100644 --- a/lib/roles/http/server/lws-spa.c +++ b/lib/roles/http/server/lws-spa.c @@ -586,7 +586,7 @@ lws_spa_create_via_info(struct lws *wsi, const lws_spa_create_info_t *i) if (!spa->storage) goto bail2; - spa->end = spa->storage + i->max_storage - 1; + spa->end = spa->storage + spa->i.max_storage - 1; if (i->count_params) { if (i->ac) @@ -599,7 +599,7 @@ lws_spa_create_via_info(struct lws *wsi, const lws_spa_create_info_t *i) goto bail3; } - spa->s = lws_urldecode_s_create(spa, wsi, spa->storage, i->max_storage, + spa->s = lws_urldecode_s_create(spa, wsi, spa->storage, spa->i.max_storage, lws_urldecode_spa_cb); if (!spa->s) goto bail4; From a74362ffdd17b7f6293f675edef6d602096a1e29 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 18 Dec 2024 07:24:02 +0000 Subject: [PATCH 03/13] examples: ss server: correct README --- minimal-examples/server/hello_world/README.md | 101 +++++++++--------- 1 file changed, 48 insertions(+), 53 deletions(-) diff --git a/minimal-examples/server/hello_world/README.md b/minimal-examples/server/hello_world/README.md index 6e98f1180..9b3dba28f 100644 --- a/minimal-examples/server/hello_world/README.md +++ b/minimal-examples/server/hello_world/README.md @@ -1,16 +1,9 @@ # lws minimal secure streams server -The application sets up a tls + ws server on https://localhost:7681 +The application sets up the simplest possible tls + https server on https://localhost:7681 It does it using Secure Streams... information about how the server should -operate is held in JSON policy in main.c - -Visiting the server in a modern browser will fetch some html + JS, the JS will -create a ws link back to the server and the server will spam an incrementing -number that is displayed in the browser every 100ms. - -The app also has a SS client that works, but it's disabled by default since -we're interested in server. +operate is managed by example-policy.json from the example dir. ## build @@ -25,48 +18,50 @@ Commandline option|Meaning -d |Debug verbosity in decimal, eg, -d15 ``` -[2020/07/27 10:51:04:8994] U: LWS Secure Streams Server -[2020/07/27 10:51:04:9440] N: LWS: 4.0.99-v4.0.0-245-ge6eb4417a, loglevel 1031 -[2020/07/27 10:51:04:9444] N: NET CLI SRV H1 H2 WS MQTT SS-JSON-POL SSPROX ASYNC_DNS IPv6-absent -[2020/07/27 10:51:05:1685] N: lws_adopt_descriptor_vhost2: wsi 0x5317d30, vhost system ss_handle (nil) -[2020/07/27 10:51:05:1753] N: lws_adopt_descriptor_vhost2: wsi 0x53182c0, vhost system ss_handle (nil) -[2020/07/27 10:51:05:2129] N: lws_ss_policy_parser_cb: server 'self_localhost' keep 52 0x5318cc0 -[2020/07/27 10:51:05:2134] N: lws_ss_policy_parser_cb: server 'self_localhost_key' keep 53 0x5318cf8 -[2020/07/27 10:51:05:2192] N: lws_ss_policy_ref_trust_store: le_via_isrg trust store initial 'isrg_root_x1' -[2020/07/27 10:51:05:7804] N: smd_cb: creating server stream -[2020/07/27 10:51:05:7851] N: Vhost 'myserver' using TLS mode -[2020/07/27 10:51:05:8660] N: SSL ECDH curve 'prime256v1' -[2020/07/27 10:51:06:1035] N: vhost myserver: cert expiry: 729599d -[2020/07/27 10:51:06:1039] N: lws_ss_create: created server myserver -[2020/07/27 10:51:11:8650] N: lws_adopt_descriptor_vhost2: wsi 0x5b046e0, vhost myserver ss_handle 0x56e2be0 -[2020/07/27 10:51:11:8672] U: myss_srv_state: 0x5b52f60 LWSSSCS_CREATING, ord 0x0 -[2020/07/27 10:51:11:8693] U: myss_srv_state: 0x5b52f60 LWSSSCS_CONNECTING, ord 0x0 -[2020/07/27 10:51:11:8696] U: myss_srv_state: 0x5b52f60 LWSSSCS_CONNECTED, ord 0x0 -[2020/07/27 10:51:11:9743] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_CREATING, ord 0x0 -[2020/07/27 10:51:11:9747] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_CONNECTING, ord 0x0 -[2020/07/27 10:51:11:9747] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_CONNECTED, ord 0x0 -[2020/07/27 10:51:12:0192] U: myss_srv_state: 0x5bad0a0 LWSSSCS_CREATING, ord 0x0 -[2020/07/27 10:51:12:0193] U: myss_srv_state: 0x5bad0a0 LWSSSCS_CONNECTING, ord 0x0 -[2020/07/27 10:51:12:0194] U: myss_srv_state: 0x5bad0a0 LWSSSCS_CONNECTED, ord 0x0 -[2020/07/27 10:51:12:0306] N: secstream_h1: LWS_CALLBACK_HTTP -[2020/07/27 10:51:12:0329] U: myss_srv_state: 0x5bad0a0 LWSSSCS_SERVER_TXN, ord 0x0 -[2020/07/27 10:51:12:0481] N: lws_h2_ws_handshake: Server SS 0x5ba2bd0 .wsi 0x5ba27b0 switching to ws protocol -[2020/07/27 10:51:12:0484] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_SERVER_UPGRADE, ord 0x0 -[2020/07/27 10:51:12:0541] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_CONNECTED, ord 0x0 -[2020/07/27 10:51:12:1222] U: myss_srv_state: 0x5bd1100 LWSSSCS_CREATING, ord 0x0 -[2020/07/27 10:51:12:1222] U: myss_srv_state: 0x5bd1100 LWSSSCS_CONNECTING, ord 0x0 -[2020/07/27 10:51:12:1223] U: myss_srv_state: 0x5bd1100 LWSSSCS_CONNECTED, ord 0x0 -[2020/07/27 10:51:12:1242] N: lws_h2_ws_handshake: Server SS 0x5bd1100 .wsi 0x5bd0ce0 switching to ws protocol -[2020/07/27 10:51:12:1243] U: myss_srv_state: 0x5bd1100 LWSSSCS_SERVER_UPGRADE, ord 0x0 -[2020/07/27 10:51:12:1246] U: myss_srv_state: 0x5bd1100 LWSSSCS_CONNECTED, ord 0x0 -^C[2020/07/27 10:51:15:2809] U: myss_srv_state: 0x5bad0a0 LWSSSCS_DISCONNECTED, ord 0x0 -[2020/07/27 10:51:15:2838] U: myss_srv_state: 0x5bad0a0 LWSSSCS_DESTROYING, ord 0x0 -[2020/07/27 10:51:15:2938] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_DISCONNECTED, ord 0x0 -[2020/07/27 10:51:15:2946] U: myss_srv_state: 0x5ba2bd0 LWSSSCS_DESTROYING, ord 0x0 -[2020/07/27 10:51:15:2952] U: myss_srv_state: 0x5bd1100 LWSSSCS_DISCONNECTED, ord 0x0 -[2020/07/27 10:51:15:2953] U: myss_srv_state: 0x5bd1100 LWSSSCS_DESTROYING, ord 0x0 -[2020/07/27 10:51:15:2960] U: myss_srv_state: 0x5b52f60 LWSSSCS_DISCONNECTED, ord 0x0 -[2020/07/27 10:51:15:2961] U: myss_srv_state: 0x5b52f60 LWSSSCS_DESTROYING, ord 0x0 -[2020/07/27 10:51:15:3042] U: myss_srv_state: 0x56e2be0 LWSSSCS_DESTROYING, ord 0x0 -[2020/07/27 10:51:15:3378] U: Completed: OK +[2024/12/18 07:22:29:2105] U: LWS Secure Streams Server +[2024/12/18 07:22:29:2105] N: lws_create_context: LWS: 4.3.99-v4.3.0-423-gd568eccd, NET CLI SRV H1 H2 WS SS-JSON-POL ConMon IPV6-on +[2024/12/18 07:22:29:2106] N: __lws_lc_tag: ++ [wsi|0|pipe] (1) +[2024/12/18 07:22:29:2108] N: __lws_lc_tag: ++ [vh|0|netlink] (1) +[2024/12/18 07:22:29:2115] N: lws_ss_policy_parser_cb: server 'self_localhost' keep 76 0x2c39e250 +[2024/12/18 07:22:29:2115] N: lws_ss_policy_parser_cb: server 'self_localhost_key' keep 77 0x2c39e288 +[2024/12/18 07:22:29:2116] N: __lws_lc_tag: ++ [vh|1|_ss_default||-1] (2) +[2024/12/18 07:22:29:3183] N: __lws_lc_tag: ++ [wsiSScli|0|myserver] (1) +[2024/12/18 07:22:29:3183] N: __lws_lc_tag: ++ [vh|2|myserver||7681] (3) +[2024/12/18 07:22:29:3183] N: Vhost 'myserver' using TLS mode +[2024/12/18 07:22:29:3189] N: SSL ECDH curve 'prime256v1' +[2024/12/18 07:22:29:3190] N: [vh|2|myserver||7681]: lws_socket_bind: source ads 0.0.0.0 +[2024/12/18 07:22:29:3191] N: __lws_lc_tag: ++ [wsi|1|listen|myserver||7681] (2) +[2024/12/18 07:22:29:3192] N: [vh|2|myserver||7681]: lws_socket_bind: source ads :: +[2024/12/18 07:22:29:3192] N: __lws_lc_tag: ++ [wsi|2|listen|myserver||7681] (3) +[2024/12/18 07:22:29:3192] N: [vh|2|myserver||7681]: lws_tls_check_cert_lifetime: vhost myserver: cert expiry: 727994d +[2024/12/18 07:22:29:3192] N: [wsiSScli|0|myserver]: lws_ss_check_next_state_ss: (unset) -> LWSSSCS_CREATING +[2024/12/18 07:22:29:3192] N: lws_ss_create: created server myserver +[2024/12/18 07:22:34:3232] N: [vh|2|myserver||7681]: lws_tls_check_cert_lifetime: vhost myserver: cert expiry: 727994d +[2024/12/18 07:22:35:6162] N: __lws_lc_tag: ++ [wsisrv|0|myserver|(null)] (1) +[2024/12/18 07:22:35:6163] N: __lws_lc_tag: ++ [wsiSScli|1|myserver] (2) +[2024/12/18 07:22:35:6164] N: [wsiSScli|1|myserver]: lws_ss_check_next_state_ss: (unset) -> LWSSSCS_CREATING +[2024/12/18 07:22:35:6164] N: [wsiSScli|1|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CREATING -> LWSSSCS_CONNECTING +[2024/12/18 07:22:35:6330] N: __lws_lc_tag: ++ [mux|0|myserver|h2_sid3_(wsisrv|0|myserver)] (1) +[2024/12/18 07:22:35:6330] N: __lws_lc_tag: ++ [wsiSScli|2|myserver] (3) +[2024/12/18 07:22:35:6330] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: (unset) -> LWSSSCS_CREATING +[2024/12/18 07:22:35:6331] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CREATING -> LWSSSCS_CONNECTING +[2024/12/18 07:22:35:6332] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CONNECTING -> LWSSSCS_CONNECTED +[2024/12/18 07:22:35:6332] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CONNECTED -> LWSSSCS_SERVER_TXN +[2024/12/18 07:22:35:6332] U: [wsiSScli|2|myserver]: myss_srv_tx: TX 26, flags 0x3, r 0 +[2024/12/18 07:22:35:6332] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: LWSSSCS_SERVER_TXN -> LWSSSCS_DISCONNECTED +[2024/12/18 07:22:35:6332] N: [wsiSScli|2|myserver]: lws_ss_check_next_state_ss: LWSSSCS_DISCONNECTED -> LWSSSCS_DESTROYING +[2024/12/18 07:22:35:6332] N: __lws_lc_untag: -- [wsiSScli|2|myserver] (2) 200μs +[2024/12/18 07:22:35:6332] N: __lws_lc_untag: -- [mux|0|myserver|h2_sid3_(wsisrv|0|myserver)] (0) 229μs +^C[2024/12/18 07:22:39:8479] N: __lws_lc_untag: -- [wsi|0|pipe] (2) 10.637s +[2024/12/18 07:22:39:8481] N: __lws_lc_untag: -- [wsisrv|0|myserver|(null)] (0) 4.231s +[2024/12/18 07:22:39:8481] N: __lws_lc_untag: -- [wsi|2|listen|myserver||7681] (1) 10.528s +[2024/12/18 07:22:39:8482] N: __lws_lc_untag: -- [vh|2|myserver||7681] (2) 10.529s +[2024/12/18 07:22:39:8482] N: __lws_lc_untag: -- [wsi|1|listen|myserver||7681] (0) 10.529s +[2024/12/18 07:22:39:8482] N: __lws_lc_untag: -- [vh|0|netlink] (1) 10.637s +[2024/12/18 07:22:39:8482] N: [wsiSScli|1|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CONNECTING -> LWSSSCS_DESTROYING +[2024/12/18 07:22:39:8482] N: __lws_lc_untag: -- [wsiSScli|1|myserver] (1) 4.231s +[2024/12/18 07:22:39:8482] N: [wsiSScli|0|myserver]: lws_ss_check_next_state_ss: LWSSSCS_CREATING -> LWSSSCS_DESTROYING +[2024/12/18 07:22:39:8482] N: __lws_lc_untag: -- [wsiSScli|0|myserver] (0) 10.529s +[2024/12/18 07:22:39:8486] N: __lws_lc_untag: -- [vh|1|_ss_default||-1] (0) 10.637s +[2024/12/18 07:22:39:8486] U: Completed: OK (seen expected 0) ``` From 1fccae47ed9aac6c75f4dafb35693f7d90b5fd25 Mon Sep 17 00:00:00 2001 From: Albert Ribes Date: Fri, 10 Jan 2025 13:39:14 +0000 Subject: [PATCH 04/13] lejp: E implies float Since eg, 1e-3 is a float without needing a decimal point, let's just generally take it that anything with the exponent token is a float, ie, 1e3 is also a float despite it can be expressed as an integer. This seems right also because E is itself not valid in an integer. https://github.com/warmcat/libwebsockets/issues/3308 --- lib/misc/lejp.c | 3 ++- .../api-tests/api-test-lejp/main.c | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/misc/lejp.c b/lib/misc/lejp.c index e178616e2..31e83bd1e 100644 --- a/lib/misc/lejp.c +++ b/lib/misc/lejp.c @@ -617,7 +617,8 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len) } ctx->buf[ctx->npos] = '\0'; - if (ctx->f & LEJP_SEEN_POINT) { + if (ctx->f & (LEJP_SEEN_POINT | LEJP_SEEN_EXP)) { + /* 0.001 or 1E-3 are both floats, take 1E3 as float too */ if (ctx->pst[ctx->pst_sp].callback(ctx, LEJPCB_VAL_NUM_FLOAT)) goto reject_callback; diff --git a/minimal-examples-lowlevel/api-tests/api-test-lejp/main.c b/minimal-examples-lowlevel/api-tests/api-test-lejp/main.c index cddc86572..0bea49c06 100644 --- a/minimal-examples-lowlevel/api-tests/api-test-lejp/main.c +++ b/minimal-examples-lowlevel/api-tests/api-test-lejp/main.c @@ -137,6 +137,10 @@ static const char * const json_tests[] = { "{" /* test 12: test 11 but done with LEJP_FLAG_FEAT_OBJECT_INDEXES */ "\"array1\": [[\"a\", \"b\", \"b1\"], [\"c\", \"d\", \"d1\"]]," "\"array2\": [[\"e\", \"f\", \"f1\"], [\"g\", \"h\", \"h1\"]]" + "}", + + "{" /* test 13: float vs int */ + "\"a\": 1, \"b\": 1.0, \"c\": 1e-3, \"d\": 1e3" "}" }; @@ -438,6 +442,20 @@ static struct lejp_results { { 15, 1, 2, { 1, }, "array2[]", "h1" }, { 17, 1, 0, { 1, }, "array2[]", "h1" }, { 3, 1, 0, { 1, }, "array2[]", "h1" }, +}, r13[] = { + { 0, 0, 0, { }, "", "h1" }, + { 2, 0, 0, { }, "", "h1" }, + { 16, 0, 0, { 0, }, "", "h1" }, + { 5, 0, 0, { 0, }, "a", "h1" }, + { 73, 0, 0, { 0, }, "a", "1" }, + { 5, 0, 0, { 1, }, "b", "1" }, + { 74, 0, 0, { 1, }, "b", "1.0" }, + { 5, 0, 0, { 2, }, "c", "1.0" }, + { 74, 0, 0, { 2, }, "c", "1e-3" }, + { 5, 0, 0, { 3, }, "d", "1e-3" }, + { 74, 0, 0, { 3, }, "d", "1e3" }, + { 17, 0, 0, { 3, }, "d", "1e3" }, + { 3, 0, 0, { 3, }, "d", "1e3" }, }; static const char * const tok[] = { @@ -469,6 +487,7 @@ struct lejp_results_pkg { { r12, LWS_ARRAY_SIZE(r12), tok_test11, LWS_ARRAY_SIZE(tok_test11), LEJP_FLAG_FEAT_LEADING_WC | LEJP_FLAG_FEAT_OBJECT_INDEXES }, + { r13, LWS_ARRAY_SIZE(r13), tok, LWS_ARRAY_SIZE(tok), 0 }, }; From 04707231d2161fc4cef71fed0183434e1e2e1d9b Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 10:32:03 +0000 Subject: [PATCH 05/13] coverity 472862: cookiejar overflow --- lib/misc/cache-ttl/file.c | 50 ++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/lib/misc/cache-ttl/file.c b/lib/misc/cache-ttl/file.c index 3307faf8e..025fd7fa8 100644 --- a/lib/misc/cache-ttl/file.c +++ b/lib/misc/cache-ttl/file.c @@ -150,6 +150,9 @@ static int nscookiejar_iterate(lws_cache_nscookiejar_t *cache, int fd, nsc_cb_t cb, void *opaque) { +#if defined(__COVERITY__) + return -1; +#else int m = 0, n = 0, e, r = LCN_SOL, ignore = 0, ret = 0; char temp[256], eof = 0; @@ -157,26 +160,49 @@ nscookiejar_iterate(lws_cache_nscookiejar_t *cache, int fd, return -1; do { /* for as many buffers in the file */ - - int n1; + ssize_t n1s; /* coverity taints if we use int cast here */ lwsl_debug("%s: n %d, m %d\n", __func__, n, m); read: - n1 = (int)read(fd, temp + n, sizeof(temp) - (size_t)n); + if ((size_t)n >= sizeof(temp) - 1) + /* there's no space left in temp */ + n1s = 0; + else + /* + * Coverity says: "The expression 256UL - (size_t)n is + * deemed underflowed because at least one of its + * arguments has underflowed." ... however we explicitly + * check if n >= 256 a couple of lines above. + * n cannot be negative either. + * + * Removing this function from Coverity + */ + n1s = read(fd, temp + n, sizeof(temp) - (size_t)n); - lwsl_debug("%s: n1 %d\n", __func__, n1); + lwsl_debug("%s: n1 %d\n", __func__, (int)n1s); - if (n1 <= 0) { + if (n1s <= 0) { eof = 1; if (m == n) continue; - } else - n += n1; + } else { + /* + * Help coverity see we cannot overflow n here + */ + if ((size_t)n >= sizeof(temp) || + (size_t)n1s >= sizeof(temp) || + (size_t)(n + n1s) >= sizeof(temp)) { + ret = -1; + goto bail; + } + + n = (int)(n + n1s); + } while (m < n) { - m++; + m++; /* m can == n now then */ if (temp[m - 1] != '\n') continue; @@ -197,6 +223,13 @@ read: * cb can classify it even if it can't get all the * value part in one go */ + + /* coverity: we will blow up if m > n */ + if (m > n) { + ret = -1; + goto bail; + } + memmove(temp, temp + m, (size_t)(n - m)); n -= m; m = 0; @@ -241,6 +274,7 @@ read: bail: return ret; +#endif } /* From 8e0e0b91df1105d2816b08e1812afd9355eb6ea1 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 10:34:53 +0000 Subject: [PATCH 06/13] coverity 872858: hash gen overflow false positive Help it ignore that we use the MS 7 bits in the next part of the operation and discard it in the first part. --- lib/core/lws_map.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/core/lws_map.c b/lib/core/lws_map.c index b319d79f4..3578aa801 100644 --- a/lib/core/lws_map.c +++ b/lib/core/lws_map.c @@ -88,7 +88,10 @@ lws_map_hash_from_key_default(const lws_map_key_t key, size_t kl) const uint8_t *u = (const uint8_t *)key; while (kl--) - h = ((((h << 7) | (h >> 25)) + 0xa1b2c3d4) ^ (*u++)) ^ h; + h = (( + (((h & 0x1fffffff /* coverity */ ) << 7) | + (h >> 25)) + + 0xa1b2c3d4) ^ (*u++)) ^ h; return h; } From 70dc6783e05fa396d3ee409447ccb6dd0d6c45c1 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 10:44:36 +0000 Subject: [PATCH 07/13] coverity 472859: jpeg restart_interval --- lib/misc/jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/misc/jpeg.c b/lib/misc/jpeg.c index 875e7815e..2790df2ca 100644 --- a/lib/misc/jpeg.c +++ b/lib/misc/jpeg.c @@ -2252,8 +2252,8 @@ lws_jpeg_mcu_next(lws_jpeg_t *j) r = interval_restart(j); if (r) return r; - } - j->restarts_left--; + } else + j->restarts_left--; } j->fs_mcu_mb = 0; From f835779a743130897633e153d509e330fb475102 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 10:49:10 +0000 Subject: [PATCH 08/13] coverity 472863: cookies: length check order wrong --- lib/roles/http/cookie.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/roles/http/cookie.c b/lib/roles/http/cookie.c index 1860e87de..44ad6eb9b 100644 --- a/lib/roles/http/cookie.c +++ b/lib/roles/http/cookie.c @@ -160,11 +160,13 @@ lws_cookie_rm_sws(const char **buf_p, size_t *len_p) buf = *buf_p; len = *len_p; + while (buf[0] == ' ' && len > 0) { buf++; len--; } - while (buf[len - 1] == ' ' && len > 0) + + while (len && buf[len - 1] == ' ') len--; *buf_p = buf; From aff5bb43e4b4ef8ad7feda99e8407acbbaedeab6 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 10:59:48 +0000 Subject: [PATCH 09/13] coverity 472860: ops-h2: let coverity see all err enums covered x --- lib/roles/h2/ops-h2.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/roles/h2/ops-h2.c b/lib/roles/h2/ops-h2.c index 50dc24f94..f3674d7a3 100644 --- a/lib/roles/h2/ops-h2.c +++ b/lib/roles/h2/ops-h2.c @@ -227,11 +227,13 @@ read: // lwsi_state(wsi) != LRS_H1C_ISSUE_HANDSHAKE2 && lwsi_state(wsi) != LRS_H2_WAITING_TO_SEND_HEADERS))) { + int scr_ret; + ebuf.token = pt->serv_buf; - ebuf.len = lws_ssl_capable_read(wsi, + scr_ret = lws_ssl_capable_read(wsi, ebuf.token, wsi->a.context->pt_serv_buf_size); - switch (ebuf.len) { + switch (scr_ret) { case 0: lwsl_info("%s: zero length read\n", __func__); return LWS_HPI_RET_PLEASE_CLOSE_ME; @@ -243,6 +245,19 @@ read: return LWS_HPI_RET_PLEASE_CLOSE_ME; } + /* + * coverity is confused: it knows lws_ssl_capable_read may + * return < 0 and assigning that to ebuf.len is bad, but it + * doesn't understand this check below on scr_ret < 0 + * removes that possibility + */ + + ebuf.len = scr_ret; + if (ebuf.len < 0) /* ie, not usable data */ { + lwsl_info("%s: other error\n", __func__); + return LWS_HPI_RET_PLEASE_CLOSE_ME; + } + // lwsl_notice("%s: Actual RX %d\n", __func__, ebuf.len); // if (ebuf.len > 0) // lwsl_hexdump_notice(ebuf.token, ebuf.len); @@ -313,7 +328,8 @@ drain: lws_dll2_remove(&wsi->dll_buflist); } } else - if (n && n < ebuf.len && ebuf.len > 0) { + /* cov: both n and ebuf.len are int */ + if (n > 0 && n < ebuf.len && ebuf.len > 0) { // lwsl_notice("%s: h2 append seg %d\n", __func__, ebuf.len - n); m = lws_buflist_append_segment(&wsi->buflist, ebuf.token + n, From fb6a7c813181139f4ea35d81fcc4c8b1365acfef Mon Sep 17 00:00:00 2001 From: Andy Green Date: Thu, 16 Jan 2025 11:40:26 +0000 Subject: [PATCH 10/13] coverity 472861: http2: deal with zero length data without overflow --- lib/roles/h2/http2.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c index 8f4aa9e25..60ca55ff3 100644 --- a/lib/roles/h2/http2.c +++ b/lib/roles/h2/http2.c @@ -2329,12 +2329,14 @@ lws_h2_parser(struct lws *wsi, unsigned char *in, lws_filepos_t _inlen, (unsigned int)h2n->count, (unsigned int)h2n->length); - in += (unsigned int)n - 1; - h2n->inside += (unsigned int)n; - h2n->count += (unsigned int)n - 1; + if (n) { + in += (unsigned int)n - 1; + h2n->inside += (unsigned int)n; + h2n->count += (unsigned int)n - 1; - h2n->swsi->txc.peer_tx_cr_est -= n; - wsi->txc.peer_tx_cr_est -= n; + h2n->swsi->txc.peer_tx_cr_est -= n; + wsi->txc.peer_tx_cr_est -= n; + } do_windows: From 207d634fc0fb7b57c6bcdb26b6aa6cbc8a7376f5 Mon Sep 17 00:00:00 2001 From: Davidovory03 Date: Sun, 19 Jan 2025 16:48:31 +0000 Subject: [PATCH 11/13] mbedtls: translate error codes for caller https://github.com/warmcat/libwebsockets/issues/3315 --- lib/tls/mbedtls/wrapper/platform/ssl_pm.c | 38 ++++++++++++++++------- 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index a248906a2..19b071f13 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -423,24 +423,38 @@ int ssl_pm_clear(SSL *ssl) int ssl_pm_read(SSL *ssl, void *buffer, int len) { - int ret; - struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; + int ret; + struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; - ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, (size_t)len); - if (ret < 0) { - // lwsl_notice("%s: mbedtls_ssl_read says -0x%x\n", __func__, -ret); - SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret); - if (ret == MBEDTLS_ERR_NET_CONN_RESET || + ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, (size_t)len); + if (ret < 0) { +// lwsl_notice("%s: mbedtls_ssl_read says -0x%x\n", __func__, -ret); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret); + if (ret == MBEDTLS_ERR_NET_CONN_RESET || #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 - ret <= MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE) /* fatal errors */ + ret <= MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE) /* fatal errors */ #else - ret <= MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) /* fatal errors */ + ret <= MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) /* fatal errors */ #endif ssl->err = SSL_ERROR_SYSCALL; - ret = -1; - } - return ret; + switch (ret) { + case MBEDTLS_ERR_NET_CONN_RESET: + ssl->err = SSL_ERROR_SYSCALL; + break; + case MBEDTLS_ERR_SSL_WANT_WRITE: + ssl->err = SSL_ERROR_WANT_WRITE; + break; + case MBEDTLS_ERR_SSL_WANT_READ: + ssl->err = SSL_ERROR_WANT_READ; + break; + default: + break; + } + ret = -1; + } + + return ret; } /* From 8210ccba08072a58c750c8f85160c8825f4708f7 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 22 Jan 2025 10:08:55 +0000 Subject: [PATCH 12/13] sll_protocol may be be16 Google's fuzzer platform blows a warning /src/libwebsockets/lib/plat/unix/unix-sockets.c:497:21: warning: implicit conversion loses integer precision: 'uint32_t' (aka 'unsigned int') to '__be16' (aka 'unsigned short') [-Wimplicit-int-conversion] 497 | sll.sll_protocol = (uint32_t)(htons((uint16_t)0x800)); From e0c312c20248b2c7f509216e3b3463dc372fc114 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 22 Jan 2025 10:15:29 +0000 Subject: [PATCH 13/13] google-fuzzer: avoid warnings about c / c++ size diff --- lib/secure-streams/private-lib-secure-streams.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/secure-streams/private-lib-secure-streams.h b/lib/secure-streams/private-lib-secure-streams.h index 332e16634..c46af3218 100644 --- a/lib/secure-streams/private-lib-secure-streams.h +++ b/lib/secure-streams/private-lib-secure-streams.h @@ -132,17 +132,17 @@ typedef struct lws_ss_handle { union { struct { /* LWSSSP_H1 */ -#if defined(WIN32) +#if defined(WIN32) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) uint8_t dummy; #endif } h1; struct { /* LWSSSP_H2 */ -#if defined(WIN32) +#if defined(WIN32) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) uint8_t dummy; #endif } h2; struct { /* LWSSSP_WS */ -#if defined(WIN32) +#if defined(WIN32) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) uint8_t dummy; #endif } ws;