res_http_websocket: ensure control frames do not interfere with data

Control frames (PING / PONG / CLOSE) can be received in the middle of a fragmented message. In order to ensure they do not interfere with the reassembly buffer, we exit early and do not return the payload to the caller. ASTERISK-28257 #close Change-Id: Ia5367144fe08ac6141bba3309517a48ec7f013bc
2025-11-03 20:38:59 +00:00 · 2019-01-23 11:45:56 +01:00
parent 884aaa5f72
commit 69e9fd63e1
1 changed files with 11 additions and 2 deletions
--- a/res/res_http_websocket.c
+++ b/res/res_http_websocket.c
@@ -632,9 +632,17 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
 		}

 		/* Per the RFC for PING we need to send back an opcode with the application data as received */
-		if ((*opcode == AST_WEBSOCKET_OPCODE_PING) && (ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, *payload, *payload_len))) {
+		if (*opcode == AST_WEBSOCKET_OPCODE_PING) {
+			if (ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, *payload, *payload_len)) {
+				ast_websocket_close(session, 1009);
+			}
+			*payload_len = 0;
+			return 0;
+		}
+
+		/* Stop PONG processing here */
+		if (*opcode == AST_WEBSOCKET_OPCODE_PONG) {
 			*payload_len = 0;
-			ast_websocket_close(session, 1009);
 			return 0;
 		}

@@ -648,6 +656,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
 			return 0;
 		}

+		/* Below this point we are handling TEXT, BINARY or CONTINUATION opcodes */
 		if (*payload_len) {
 			if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
 				ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",