2009-12-07 Fumitoshi Ukai <ukai@chromium.org>
authorukai@chromium.org <ukai@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Dec 2009 04:03:42 +0000 (04:03 +0000)
committerukai@chromium.org <ukai@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Dec 2009 04:03:42 +0000 (04:03 +0000)
        Reviewed by Darin Adler.

        Fix wrong length parsing in WebSocket.
        https://bugs.webkit.org/show_bug.cgi?id=32203

        These two tests assumed wrong length encoding in frame: it parsed
        length from bytes with 8th bit on.  But spec says length is encoded
        as a series of 7-bit bytes stored in octests with the 8th bit on
        *but the last byte*.
        These tests encodes a frame that has 129 length, so it must be
        \x81\0x01 instead of \x81\0x81.

        * websocket/tests/frame-length-longer-than-buffer_wsh.py:
        * websocket/tests/frame-length-skip_wsh.py:
2009-12-07  Fumitoshi Ukai  <ukai@chromium.org>

        Reviewed by Darin Adler.

        Fix wrong length parsing in WebSocket.
        https://bugs.webkit.org/show_bug.cgi?id=32203

        * websockets/WebSocketChannel.cpp:
        (WebCore::WebSocketChannel::didReceiveData):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51829 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
LayoutTests/websocket/tests/frame-length-skip_wsh.py
WebCore/ChangeLog
WebCore/websockets/WebSocketChannel.cpp

index bcc9d34..9963f2a 100644 (file)
@@ -1,3 +1,20 @@
+2009-12-07  Fumitoshi Ukai  <ukai@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fix wrong length parsing in WebSocket.
+        https://bugs.webkit.org/show_bug.cgi?id=32203
+
+        These two tests assumed wrong length encoding in frame: it parsed
+        length from bytes with 8th bit on.  But spec says length is encoded
+        as a series of 7-bit bytes stored in octests with the 8th bit on
+        *but the last byte*.
+        These tests encodes a frame that has 129 length, so it must be
+        \x81\0x01 instead of \x81\0x81.
+
+        * websocket/tests/frame-length-longer-than-buffer_wsh.py:
+        * websocket/tests/frame-length-skip_wsh.py:
+
 2009-12-07  Nikolas Zimmermann  <nzimmermann@rim.com>
 
         Rubber-stamped by Maciej Stachowiak.
index 8ad868b..0f91c96 100644 (file)
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
 
 def web_socket_transfer_data(request):
   msg = "\0hello\xff"
-  msg += "\x80\x81\x81"
+  msg += "\x80\x81\x01"  # skip 1*128+1 bytes.
   msg += "\x01\xff"
   msg += "\0should be skipped\xff"
   request.connection.write(msg)
index 5571691..d14f550 100644 (file)
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
 
 def web_socket_transfer_data(request):
   msg = "\0hello\xff"
-  msg += "\x80\x81\x81"
+  msg += "\x80\x81\x01"   # skip 1*128+1 bytes.
   msg += "\x01"
   msg += "\0should be skipped" + (" " * 109) + "\xff"
   msg += "\0world\xff"
index 607abc5..b235deb 100644 (file)
@@ -1,3 +1,13 @@
+2009-12-07  Fumitoshi Ukai  <ukai@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fix wrong length parsing in WebSocket.
+        https://bugs.webkit.org/show_bug.cgi?id=32203
+
+        * websockets/WebSocketChannel.cpp:
+        (WebCore::WebSocketChannel::didReceiveData):
+
 2009-12-07  Nikolas Zimmermann  <nzimmermann@rim.com>
 
         Rubber-stamped by Maciej Stachowiak.
index 2dde770..a222b4d 100644 (file)
@@ -187,14 +187,17 @@ void WebSocketChannel::didReceiveData(SocketStreamHandle* handle, const char* da
         unsigned char frameByte = static_cast<unsigned char>(*p++);
         if ((frameByte & 0x80) == 0x80) {
             int length = 0;
-            while (p < end && (*p & 0x80) == 0x80) {
+            while (p < end) {
                 if (length > std::numeric_limits<int>::max() / 128) {
                     LOG(Network, "frame length overflow %d", length);
                     handle->close();
                     return;
                 }
-                length = length * 128 + (*p & 0x7f);
+                char msgByte = *p;
+                length = length * 128 + (msgByte & 0x7f);
                 ++p;
+                if (!(msgByte & 0x80))
+                    break;
             }
             if (p + length < end) {
                 p += length;