Re: [Qemu-devel] [PATCH v2 6/6] io: Reply to ping frames

["Daniel P. Berrange" <berrange@redhat.com>]

On Mon, Sep 11, 2017 at 10:43:21AM -0700, Brandon Carpenter wrote:
> On Mon, Sep 11, 2017 at 10:37 AM, Daniel P. Berrange <berrange@redhat.com>
> wrote:
> > At the time qio_channel_websock_decode_header is run, 'encinput' is only
> > guaranteed to contain enough data to decode the header.
> 
> Because the PING opcode is a control frame, this bit of code earlier in the
> function will ensure the entire frame has been read before the PING
> processing occurs:
> 
> >       if (ioc->encinput.offset < ioc->payload_remain) {
> >             /* Wait for the entire payload before processing control
> > frames
> >              * because the payload will most likely be echoed back. */
> >             if (ioc->opcode & QIO_CHANNEL_WEBSOCK_CONTROL_OPCODE_MASK) {
> >                 return QIO_CHANNEL_ERR_BLOCK;
> >             }
> >             payload_len = ioc->encinput.offset - (ioc->encinput.offset %
> > 4);

The problem is in the qio_channel_websock_read_wire method we refuse
to read more than 4k into encinput. So if the ping payload is greater
than 4k this will just loop forever.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|