fuzzer rx overflow mitigate

Signed-off-by: Andy Green <andy.green@linaro.org>

lib/client.c

@@ -767,6 +767,7 @@ check_accept:
 		lwsl_err("Out of Mem allocating rx buffer %d\n", n);
 		goto bail2;
 	}
+       wsi->u.ws.rx_ubuf_alloc = n;
 	lwsl_info("Allocating client RX buffer %d\n", n);
 
 	if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, sizeof n)) {

lib/parsers.c

@@ -820,6 +820,10 @@ handle_first:
 			return 1;
 		}
 
+               if (wsi->u.ws.rx_ubuf_head + LWS_PRE >= wsi->u.ws.rx_ubuf_alloc) {
+                       lwsl_err("Attempted overflow\n");
+                       return -1;
+               }
 		if (wsi->u.ws.all_zero_nonce)
 			wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING +
 			       (wsi->u.ws.rx_user_buffer_head++)] = c;

lib/private-libwebsockets.h

@@ -776,6 +776,7 @@ struct _lws_header_related {
 struct _lws_websocket_related {
 	char *rx_user_buffer;
 	int rx_user_buffer_head;
+	unsigned int rx_ubuf_alloc;
 	unsigned char frame_masking_nonce_04[4];
 	unsigned char frame_mask_index;
 	size_t rx_packet_length;

lib/server.c

@@ -561,6 +561,7 @@ upgrade_ws:
 			lwsl_err("Out of Mem allocating rx buffer %d\n", n);
 			return 1;
 		}
+		wsi->u.ws.rx_ubuf_alloc = n;
 		lwsl_info("Allocating RX buffer %d\n", n);
 
 		if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, sizeof n)) {