diff --git a/lib/client.c b/lib/client.c index d9a1af37..af80e276 100644 --- a/lib/client.c +++ b/lib/client.c @@ -751,6 +751,7 @@ check_accept: lwsl_err("Out of Mem allocating rx buffer %d\n", n); goto bail2; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating client RX buffer %d\n", n); if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF, (const char *)&n, diff --git a/lib/parsers.c b/lib/parsers.c index 18037d0d..e08f4f6c 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -885,6 +885,10 @@ handle_first: return 1; } + if (wsi->u.ws.rx_user_buffer_head + LWS_SEND_BUFFER_PRE_PADDING >= wsi->u.ws.rx_ubuf_alloc) { + lwsl_err("Attempted overflow\n"); + return -1; + } if (wsi->u.ws.all_zero_nonce) wsi->u.ws.rx_user_buffer[LWS_SEND_BUFFER_PRE_PADDING + (wsi->u.ws.rx_user_buffer_head++)] = c; diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index 62a3646d..a8277f02 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -818,6 +818,7 @@ struct _lws_websocket_related { unsigned int rx_user_buffer_head; unsigned char mask_nonce[4]; unsigned char frame_mask_index; + unsigned int rx_ubuf_alloc; size_t rx_packet_length; unsigned char opcode; unsigned int final:1; diff --git a/lib/server.c b/lib/server.c index 7e728f36..e3e8ef74 100644 --- a/lib/server.c +++ b/lib/server.c @@ -566,6 +566,7 @@ upgrade_ws: lwsl_err("Out of Mem allocating rx buffer %d\n", n); return 1; } + wsi->u.ws.rx_ubuf_alloc = n; lwsl_info("Allocating RX buffer %d\n", n); #if LWS_POSIX if (setsockopt(wsi->sock, SOL_SOCKET, SO_SNDBUF,