diff --git a/lib/client.c b/lib/client.c index 35d3f7a9..344cf6f9 100644 --- a/lib/client.c +++ b/lib/client.c @@ -813,6 +813,7 @@ check_accept: lwsl_err("Out of Mem allocating rx buffer %d\n", n); goto bail2; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating client RX buffer %d\n", n); if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, diff --git a/lib/parsers.c b/lib/parsers.c index 71706206..93a12107 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -1016,6 +1016,10 @@ handle_first: assert(wsi->u.ws.rx_ubuf); + if (wsi->u.ws.rx_ubuf_head + LWS_PRE + 4 >= wsi->u.ws.rx_ubuf_alloc) { + lwsl_err("Attempted overflow\n"); + return -1; + } if (wsi->u.ws.all_zero_nonce) wsi->u.ws.rx_ubuf[LWS_PRE + (wsi->u.ws.rx_ubuf_head++)] = c; diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index e618a135..d7f069cd 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -840,6 +840,7 @@ struct _lws_header_related { struct _lws_websocket_related { char *rx_ubuf; + unsigned int rx_ubuf_alloc; struct lws *rx_draining_ext_list; struct lws *tx_draining_ext_list; size_t rx_packet_length; diff --git a/lib/server.c b/lib/server.c index 07156454..d535b81a 100644 --- a/lib/server.c +++ b/lib/server.c @@ -545,6 +545,7 @@ upgrade_ws: lwsl_err("Out of Mem allocating rx buffer %d\n", n); return 1; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating RX buffer %d\n", n); #if LWS_POSIX if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF,