diff --git a/lib/client.c b/lib/client.c index 5afd8eab..fb0c0671 100644 --- a/lib/client.c +++ b/lib/client.c @@ -767,6 +767,7 @@ check_accept: lwsl_err("Out of Mem allocating rx buffer %d\n", n); goto bail2; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating client RX buffer %d\n", n); if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, sizeof n)) { diff --git a/lib/parsers.c b/lib/parsers.c index b660b38e..aa99a44e 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -820,6 +820,10 @@ handle_first: return 1; } + if (wsi->u.ws.rx_ubuf_head + LWS_PRE >= wsi->u.ws.rx_ubuf_alloc) { + lwsl_err("Attempted overflow\n"); + return -1; + } if (wsi->u.ws.all_zero_nonce) wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING + (wsi->u.ws.rx_user_buffer_head++)] = c; diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index c9c69968..45bb563c 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -776,6 +776,7 @@ struct _lws_header_related { struct _lws_websocket_related { char *rx_user_buffer; int rx_user_buffer_head; + unsigned int rx_ubuf_alloc; unsigned char frame_masking_nonce_04[4]; unsigned char frame_mask_index; size_t rx_packet_length; diff --git a/lib/server.c b/lib/server.c index b98bf1e9..e987042a 100644 --- a/lib/server.c +++ b/lib/server.c @@ -561,6 +561,7 @@ upgrade_ws: lwsl_err("Out of Mem allocating rx buffer %d\n", n); return 1; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating RX buffer %d\n", n); if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, sizeof n)) {