Fix integer overflow in actix_http::ws::Parser::parse (#3728)

* Fix integer overflow in actix_http::ws::Parser::parse

* Add changelog

---------

Co-authored-by: Yuki Okushi <huyuumi.dev@gmail.com>

actix-http/CHANGES.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Malformed websocket frames are now gracefully rejected.
+
 ## 3.11.0
 
 - Update `brotli` dependency to `8`.

actix-http/src/ws/frame.rs

@@ -94,11 +94,21 @@ impl Parser {
             Some(res) => res,
         };
 
+        let frame_len = match idx.checked_add(length) {
+            Some(len) => len,
+            None => return Err(ProtocolError::Overflow),
+        };
+
         // not enough data
-        if src.len() < idx + length {
+        if src.len() < frame_len {
             let min_length = min(length, max_size);
-            if src.capacity() < idx + min_length {
+            let required_cap = match idx.checked_add(min_length) {
-                src.reserve(idx + min_length - src.capacity());
+                Some(cap) => cap,
+                None => return Err(ProtocolError::Overflow),
+            };
+
+            if src.capacity() < required_cap {
+                src.reserve(required_cap - src.capacity());
             }
             return Ok(None);
         }
@@ -402,4 +412,14 @@ mod tests {
         Parser::write_close(&mut buf, None, false);
         assert_eq!(&buf[..], &vec![0x88, 0x00][..]);
     }
+
+    #[test]
+    fn test_parse_length_overflow() {
+        let buf: [u8; 14] = [
+            0x0a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x0e, 0x8f,
+        ];
+        let mut buf = BytesMut::from(&buf[..]);
+        let result = Parser::parse(&mut buf, true, 65536);
+        assert!(matches!(result, Err(ProtocolError::Overflow)));
+    }
 }