Fix integer overflow in actix_http::ws::Parser::parse (#3728)

* Fix integer overflow in actix_http::ws::Parser::parse * Add changelog --------- Co-authored-by: Yuki Okushi <huyuumi.dev@gmail.com>
2025-08-30 08:38:16 +02:00 · 2025-08-22 08:24:22 +02:00
parent 37203c7fd8
commit 5f6c84494a
2 changed files with 25 additions and 3 deletions
--- a/actix-http/CHANGES.md
+++ b/actix-http/CHANGES.md
@@ -2,6 +2,8 @@

 ## Unreleased

+- Malformed websocket frames are now gracefully rejected.
+
 ## 3.11.0

 - Update `brotli` dependency to `8`.
--- a/actix-http/src/ws/frame.rs
+++ b/actix-http/src/ws/frame.rs
@@ -94,11 +94,21 @@ impl Parser {
            Some(res) => res,
        };

+        let frame_len = match idx.checked_add(length) {
+            Some(len) => len,
+            None => return Err(ProtocolError::Overflow),
+        };
+
        // not enough data
-        if src.len() < idx + length {
+        if src.len() < frame_len {
            let min_length = min(length, max_size);
-            if src.capacity() < idx + min_length {
-                src.reserve(idx + min_length - src.capacity());
+            let required_cap = match idx.checked_add(min_length) {
+                Some(cap) => cap,
+                None => return Err(ProtocolError::Overflow),
+            };
+
+            if src.capacity() < required_cap {
+                src.reserve(required_cap - src.capacity());
            }
            return Ok(None);
        }
@@ -402,4 +412,14 @@ mod tests {
        Parser::write_close(&mut buf, None, false);
        assert_eq!(&buf[..], &vec![0x88, 0x00][..]);
    }
+
+    #[test]
+    fn test_parse_length_overflow() {
+        let buf: [u8; 14] = [
+            0x0a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x0e, 0x8f,
+        ];
+        let mut buf = BytesMut::from(&buf[..]);
+        let result = Parser::parse(&mut buf, true, 65536);
+        assert!(matches!(result, Err(ProtocolError::Overflow)));
+    }
 }