From 5f6c84494a6c99b5cc0f93bb0d8710571ae438b6 Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Fri, 22 Aug 2025 08:24:22 +0200 Subject: [PATCH] Fix integer overflow in actix_http::ws::Parser::parse (#3728) * Fix integer overflow in actix_http::ws::Parser::parse * Add changelog --------- Co-authored-by: Yuki Okushi --- actix-http/CHANGES.md | 2 ++ actix-http/src/ws/frame.rs | 26 +++++++++++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/actix-http/CHANGES.md b/actix-http/CHANGES.md index dc0a02730..823633753 100644 --- a/actix-http/CHANGES.md +++ b/actix-http/CHANGES.md @@ -2,6 +2,8 @@ ## Unreleased +- Malformed websocket frames are now gracefully rejected. + ## 3.11.0 - Update `brotli` dependency to `8`. diff --git a/actix-http/src/ws/frame.rs b/actix-http/src/ws/frame.rs index 35b3f8e66..7147cc92a 100644 --- a/actix-http/src/ws/frame.rs +++ b/actix-http/src/ws/frame.rs @@ -94,11 +94,21 @@ impl Parser { Some(res) => res, }; + let frame_len = match idx.checked_add(length) { + Some(len) => len, + None => return Err(ProtocolError::Overflow), + }; + // not enough data - if src.len() < idx + length { + if src.len() < frame_len { let min_length = min(length, max_size); - if src.capacity() < idx + min_length { - src.reserve(idx + min_length - src.capacity()); + let required_cap = match idx.checked_add(min_length) { + Some(cap) => cap, + None => return Err(ProtocolError::Overflow), + }; + + if src.capacity() < required_cap { + src.reserve(required_cap - src.capacity()); } return Ok(None); } @@ -402,4 +412,14 @@ mod tests { Parser::write_close(&mut buf, None, false); assert_eq!(&buf[..], &vec![0x88, 0x00][..]); } + + #[test] + fn test_parse_length_overflow() { + let buf: [u8; 14] = [ + 0x0a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x0e, 0x8f, + ]; + let mut buf = BytesMut::from(&buf[..]); + let result = Parser::parse(&mut buf, true, 65536); + assert!(matches!(result, Err(ProtocolError::Overflow))); + } }