From 4bc6f95974226b815fa4e83457a06781f4b0a338 Mon Sep 17 00:00:00 2001
From: Andy Green <andy.green@linaro.org>
Date: Thu, 21 Jan 2016 11:00:34 +0800
Subject: [PATCH] fuzzer handle junk after upgrade header

Signed-off-by: Andy Green <andy.green@linaro.org>
---
 lib/server.c | 62 +++++++++++++++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 27 deletions(-)

diff --git a/lib/server.c b/lib/server.c
index dfa8c55f..0aec59b0 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -347,6 +347,8 @@ int lws_handshake_server(struct libwebsocket_context *context,
 	/* LWS_CONNMODE_WS_SERVING */
 
 	while (len--) {
+		assert(wsi->mode == LWS_CONNMODE_HTTP_SERVING);
+
 		if (libwebsocket_parse(context, wsi, *(*buf)++)) {
 			lwsl_info("libwebsocket_parse failed\n");
 			goto bail_nuke_ah;
@@ -362,33 +364,39 @@ int lws_handshake_server(struct libwebsocket_context *context,
 
 		/* is this websocket protocol or normal http 1.0? */
 
-		if (!lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE) ||
-			     !lws_hdr_total_length(wsi, WSI_TOKEN_CONNECTION)) {
-			
-			ah = wsi->u.hdr.ah;
-			
-			lws_union_transition(wsi, LWS_CONNMODE_HTTP_SERVING_ACCEPTED);
-			wsi->state = WSI_STATE_HTTP;
-			wsi->u.http.fd = LWS_INVALID_FILE;
-
-			/* expose it at the same offset as u.hdr */
-			wsi->u.http.ah = ah;
-			
-			n = lws_http_action(context, wsi);
-
-			return n;
+		if (lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE)) {
+			if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
+					"websocket")) {
+				lwsl_info("Upgrade to ws\n");
+				goto upgrade_ws;
+			}
+#ifdef LWS_USE_HTTP2
+			if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
+					"h2c-14")) {
+				lwsl_info("Upgrade to h2c-14\n");
+				goto upgrade_h2c;
+			}
+#endif
+			lwsl_err("Unknown upgrade\n");
+			/* dunno what he wanted to upgrade to */
+			goto bail_nuke_ah;
 		}
 
-		if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
-								"websocket"))
-			goto upgrade_ws;
-#ifdef LWS_USE_HTTP2
-		if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
-								"h2c-14"))
-			goto upgrade_h2c;
-#endif
-		/* dunno what he wanted to upgrade to */
-		goto bail_nuke_ah;
+		/* no upgrade ack... he remained as HTTP */
+
+		lwsl_info("No upgrade\n");
+
+		ah = wsi->u.hdr.ah;
+
+		lws_union_transition(wsi, LWS_CONNMODE_HTTP_SERVING_ACCEPTED);
+		wsi->state = WSI_STATE_HTTP;
+		wsi->u.http.fd = LWS_INVALID_FILE;
+
+		/* expose it at the same offset as u.hdr */
+		wsi->u.http.ah = ah;
+
+		n = lws_http_action(context, wsi);
+		return n;
 
 #ifdef LWS_USE_HTTP2
 upgrade_h2c:
@@ -575,9 +583,9 @@ upgrade_ws:
 			lwsl_warn("Failed to set SNDBUF to %d", n);
 			return 1;
 		}
+		lwsl_parser("accepted v%02d connection\n", wsi->ietf_spec_revision);
 
-		lwsl_parser("accepted v%02d connection\n",
-						       wsi->ietf_spec_revision);
+		return 0;
 	} /* while all chars are handled */
 
 	return 0;