diff options
| author | ukai@chromium.org <ukai@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-07 04:32:48 +0000 |
|---|---|---|
| committer | ukai@chromium.org <ukai@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-07 04:32:48 +0000 |
| commit | b792af76625e5f3d9801277b628352243fdcbb18 (patch) | |
| tree | 1eaedd2e02422495303e12efd430540a5e153e47 /net | |
| parent | 3bc2379e208bd30629e2a881c5121636c5216ebc (diff) | |
| download | chromium_src-b792af76625e5f3d9801277b628352243fdcbb18.zip chromium_src-b792af76625e5f3d9801277b628352243fdcbb18.tar.gz chromium_src-b792af76625e5f3d9801277b628352243fdcbb18.tar.bz2 | |
Fix WebSocket length parser
Frames denoted by bytes that have the high bit set (0x80 to
0xFF) have a leading length indicator, which is encoded as a series
of 7-bit bytes stored in octets with the 8th bit being set for all
but the last byte.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/465094
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@33951 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/websockets/websocket.cc | 7 | ||||
| -rw-r--r-- | net/websockets/websocket_unittest.cc | 6 |
2 files changed, 8 insertions, 5 deletions
diff --git a/net/websockets/websocket.cc b/net/websockets/websocket.cc index e588707..719a870 100644 --- a/net/websockets/websocket.cc +++ b/net/websockets/websocket.cc @@ -391,14 +391,17 @@ void WebSocket::ProcessFrameData() { unsigned char frame_byte = static_cast<unsigned char>(*p++); if ((frame_byte & 0x80) == 0x80) { int length = 0; - while (p < end && (*p & 0x80) == 0x80) { + while (p < end) { if (length > std::numeric_limits<int>::max() / 128) { // frame length overflow. socket_stream_->Close(); return; } - length = length * 128 + (*p & 0x7f); + unsigned char c = static_cast<unsigned char>(*p); + length = length * 128 + (c & 0x7f); ++p; + if ((c & 0x80) != 0x80) + break; } // Checks if the frame body hasn't been completely received yet. // It also checks the case the frame length bytes haven't been completely diff --git a/net/websockets/websocket_unittest.cc b/net/websockets/websocket_unittest.cc index 4dbfb9e..08b7bed 100644 --- a/net/websockets/websocket_unittest.cc +++ b/net/websockets/websocket_unittest.cc @@ -258,16 +258,16 @@ TEST_F(WebSocketTest, ProcessFrameDataForLengthCalculation) { new WebSocket(request, delegate.get())); // Frame data: skip length 1 ('x'), and try to skip length 129 - // (1 * 128 + 1) bytes after second \x81, but buffer is too short to skip. + // (1 * 128 + 1) bytes after \x81\x01, but buffer is too short to skip. static const char kTestLengthFrame[] = - "\x80\x81x\x80\x81\x81\x01\x00unexpected data\xFF"; + "\x80\x01x\x80\x81\x01\x01\x00unexpected data\xFF"; const int kTestLengthFrameLength = sizeof(kTestLengthFrame) - 1; InitReadBuf(websocket.get()); AddToReadBuf(websocket.get(), kTestLengthFrame, kTestLengthFrameLength); SetReadConsumed(websocket.get(), 0); static const char kExpectedRemainingFrame[] = - "\x80\x81\x81\x01\x00unexpected data\xFF"; + "\x80\x81\x01\x01\x00unexpected data\xFF"; const int kExpectedRemainingLength = sizeof(kExpectedRemainingFrame) - 1; TestProcessFrameData(websocket.get(), kExpectedRemainingFrame, kExpectedRemainingLength); |