Add a public api to set max frame and message size (CVE-2018-21035)

This change allows the user to set a lower allowed frame/message size
for reception. The purpose is to avoid an attacker to exhaust the
virtual memory of the peer.
Fixes CVE-2018-21035

[ChangeLog] Added public API to set the maximum frame size and message size

Task-number: QTBUG-70693
Change-Id: I5dc5918badc99166afdcc8d9c6106247a9f8666f
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/src/websockets/qwebsocketdataprocessor_p.h b/src/websockets/qwebsocketdataprocessor_p.h
index 03635b1..62a2dc0 100644
--- a/src/websockets/qwebsocketdataprocessor_p.h
+++ b/src/websockets/qwebsocketdataprocessor_p.h
@@ -65,6 +65,8 @@ QT_BEGIN_NAMESPACE
 class QIODevice;
 class QWebSocketFrame;
 
+const quint64 MAX_MESSAGE_SIZE_IN_BYTES = std::numeric_limits<int>::max() - 1;
+
 class Q_AUTOTEST_EXPORT QWebSocketDataProcessor : public QObject
 {
     Q_OBJECT
@@ -74,6 +76,10 @@ public:
     explicit QWebSocketDataProcessor(QObject *parent = nullptr);
     ~QWebSocketDataProcessor() override;
 
+    void setMaxAllowedFrameSize(quint64 maxAllowedFrameSize);
+    quint64 maxAllowedFrameSize() const;
+    void setMaxAllowedMessageSize(quint64 maxAllowedMessageSize);
+    quint64 maxAllowedMessageSize() const;
     static quint64 maxMessageSize();
     static quint64 maxFrameSize();
 
@@ -115,6 +121,7 @@ private:
     QTextCodec *m_pTextCodec;
     QWebSocketFrame frame;
     QTimer waitTimer;
+    quint64 m_maxAllowedMessageSize = MAX_MESSAGE_SIZE_IN_BYTES;
 
     bool processControlFrame(const QWebSocketFrame &frame);
     void timeout();