Add protection against handshake header too large

Task-number: QTBUG-70691
Change-Id: I54b9f7157e5830b9efd8bae7d4777218857249b1
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

1 files changed, 9 insertions, 1 deletions

diff --git a/src/websockets/qwebsocketserver_p.cpp b/src/websockets/qwebsocketserver_p.cpp
index 574adf5..1009f52 100644
--- a/src/websockets/qwebsocketserver_p.cpp
+++ b/src/websockets/qwebsocketserver_p.cpp
@@ -432,10 +432,18 @@ void QWebSocketServerPrivate::handshakeReceived()
     // According to RFC822 the body is separated from the headers by a null line (CRLF)
     const QByteArray& endOfHeaderMarker = QByteArrayLiteral("\r\n\r\n");
 
-    QByteArray header = pTcpSocket->peek(pTcpSocket->bytesAvailable());
+    const qint64 byteAvailable = pTcpSocket->bytesAvailable();
+    QByteArray header = pTcpSocket->peek(byteAvailable);
     const int endOfHeaderIndex = header.indexOf(endOfHeaderMarker);
     if (endOfHeaderIndex < 0) {
         //then we don't have our header complete yet
+        //check that no one is trying to exhaust our virtual memory
+        const qint64 maxHeaderLength = MAX_HEADERLINE_LENGTH * MAX_HEADERLINES + endOfHeaderMarker.size();
+        if (byteAvailable > maxHeaderLength) {
+            pTcpSocket->close();
+            setError(QWebSocketProtocol::CloseCodeTooMuchData,
+                 QWebSocketServer::tr("Header is too large."));
+        }
         return;
     }
     const int headerSize = endOfHeaderIndex + endOfHeaderMarker.size();