Thanks to Fabrice Gilot for reporting the problem that led to uncovering this.
Due to a misunderstanding of the return value of snprintf (it is not truncated according
to the max size passed in) in several places relying on snprintf to truncate the length
overflows are possible.
This patch wraps snprintf with a new lws_snprintf() which does truncate its length to allow
the buffer limiting scheme to work properly.
All users should update with these fixes.
Openssl v1.0.2 and above have support for checking the hostname
the client side connected to against the hostname on the cert the
server presented.
This enables that feature if the necessary API is available in the
openssl version, meaning the connection will fail at ssl negotiation if the
cert isn't for the requested server
It's very easy to test, add a fake entry to /etc/hosts for the server IP with
a different name, using that will fail at ssl but using the correct dns name
matching the certificate will work.
Valgrind caught http/1.1 pipelining using dead user agent alloc
for logging... NULL it when we free it since the wsi can be
reused with keepalive
==16208== Invalid free() / delete / delete[] / realloc()
==16208== at 0x4847ACC: free (vg_replace_malloc.c:530)
==16208== by 0x4888DC3: _realloc (alloc.c:8)
==16208== by 0x4888DFF: lws_realloc (alloc.c:16)
==16208== by 0x487DBCB: lws_access_log (libwebsockets.c:2352)
==16208== by 0x48956DF: lws_http_transaction_completed (server.c:1245)
==16208== by 0x4893757: lws_http_serve (server.c:340)
==16208== by 0x48946EF: lws_http_action (server.c:748)
==16208== by 0x4894CEF: lws_handshake_server (server.c:900)
==16208== by 0x48786BF: lws_read (handshake.c:120)
==16208== by 0x4896103: lws_server_socket_service (server.c:1580)
==16208== by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208== by 0x48803B7: lws_service_fd (service.c:1079)
==16208== Address 0x552e5f8 is 0 bytes inside a block of size 86 free'd
==16208== at 0x4847ACC: free (vg_replace_malloc.c:530)
==16208== by 0x4888DC3: _realloc (alloc.c:8)
==16208== by 0x4888DFF: lws_realloc (alloc.c:16)
==16208== by 0x487DBCB: lws_access_log (libwebsockets.c:2352)
==16208== by 0x48956DF: lws_http_transaction_completed (server.c:1245)
==16208== by 0x4893757: lws_http_serve (server.c:340)
==16208== by 0x48946EF: lws_http_action (server.c:748)
==16208== by 0x4894CEF: lws_handshake_server (server.c:900)
==16208== by 0x48786BF: lws_read (handshake.c:120)
==16208== by 0x4896103: lws_server_socket_service (server.c:1580)
==16208== by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208== by 0x48803B7: lws_service_fd (service.c:1079)
==16208== Block was alloc'd at
==16208== at 0x4846498: malloc (vg_replace_malloc.c:298)
==16208== by 0x4848D57: realloc (vg_replace_malloc.c:785)
==16208== by 0x4888DA7: _realloc (alloc.c:6)
==16208== by 0x4888DFF: lws_realloc (alloc.c:16)
==16208== by 0x4893EAF: lws_http_action (server.c:565)
==16208== by 0x4894CEF: lws_handshake_server (server.c:900)
==16208== by 0x48786BF: lws_read (handshake.c:120)
==16208== by 0x4896103: lws_server_socket_service (server.c:1580)
==16208== by 0x487FB6B: lws_service_fd_tsi (service.c:779)
==16208== by 0x48803B7: lws_service_fd (service.c:1079)
==16208== by 0x48994B7: lws_io_cb (libuv.c:101)
==16208== by 0x4AE7B1F: ??? (in /usr/lib/libuv.so.1.0.0)
Signed-off-by: Andy Green <andy@warmcat.com>
Until now lws has finished the HTTP transaction when the POST body was
completely received.
However that needlessly makes it impossible to send a HTTP 200 and a
response without a redirect.
This changes lws behaviour after sending the LWS_CALLBACK_HTTP_BODY_COMPLETION
callback to no longer terminate the HTTP transaction.
If you want the old behaviour, you can terminate the transaction with
lws_http_transaction_completed() in the LWS_CALLBACK_HTTP_BODY_COMPLETION
callback.
Otherwise it's now possible to call lws_callback_on_writable() from
LWS_CALLBACK_HTTP_BODY_COMPLETION.
Signed-off-by: Andy Green <andy@warmcat.com>
- libuv socket init binding was missing for client
- failures like no ws protocol match are deferred until the
ah is bound. Check for these failures and make sure we
tell the guy trying to set up the client connection the
wsi is NULL if it has already failed and closed.
- pfd.events was not initialized for the client init path
With this general client function is more robust but also
client connections work properly with libuv.
Signed-off-by: Andy Green <andy@warmcat.com>
If for some reason we exit before the protocol init action
(which is delayed for libuv) we should not send the protocol
destroy messages
Signed-off-by: Andy Green <andy@warmcat.com>
