From db472ab205b37f44cb2d65ad861152cb9f48f2e8 Mon Sep 17 00:00:00 2001
From: Franck Dude <enstone83@gmail.com>
Date: Sat, 7 Dec 2019 17:37:08 +0100
Subject: Add protection against handshake header too large
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Task-number: QTBUG-70691
Change-Id: I54b9f7157e5830b9efd8bae7d4777218857249b1
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/websockets/qwebsocketserver_p.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/websockets/qwebsocketserver_p.cpp b/src/websockets/qwebsocketserver_p.cpp
index 574adf5..1009f52 100644
--- a/src/websockets/qwebsocketserver_p.cpp
+++ b/src/websockets/qwebsocketserver_p.cpp
@@ -432,10 +432,18 @@ void QWebSocketServerPrivate::handshakeReceived()
     // According to RFC822 the body is separated from the headers by a null line (CRLF)
     const QByteArray& endOfHeaderMarker = QByteArrayLiteral("\r\n\r\n");
 
-    QByteArray header = pTcpSocket->peek(pTcpSocket->bytesAvailable());
+    const qint64 byteAvailable = pTcpSocket->bytesAvailable();
+    QByteArray header = pTcpSocket->peek(byteAvailable);
     const int endOfHeaderIndex = header.indexOf(endOfHeaderMarker);
     if (endOfHeaderIndex < 0) {
         //then we don't have our header complete yet
+        //check that no one is trying to exhaust our virtual memory
+        const qint64 maxHeaderLength = MAX_HEADERLINE_LENGTH * MAX_HEADERLINES + endOfHeaderMarker.size();
+        if (byteAvailable > maxHeaderLength) {
+            pTcpSocket->close();
+            setError(QWebSocketProtocol::CloseCodeTooMuchData,
+                 QWebSocketServer::tr("Header is too large."));
+        }
         return;
     }
     const int headerSize = endOfHeaderIndex + endOfHeaderMarker.size();
-- 
cgit v1.2.1