diff options
Diffstat (limited to 'Source/WebCore/Modules/websockets/WebSocketChannel.cpp')
-rw-r--r-- | Source/WebCore/Modules/websockets/WebSocketChannel.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/Source/WebCore/Modules/websockets/WebSocketChannel.cpp b/Source/WebCore/Modules/websockets/WebSocketChannel.cpp index 2ce69dd38..c8ee9a8fd 100644 --- a/Source/WebCore/Modules/websockets/WebSocketChannel.cpp +++ b/Source/WebCore/Modules/websockets/WebSocketChannel.cpp @@ -674,12 +674,22 @@ bool WebSocketChannel::processFrame() break; case WebSocketFrame::OpCodeClose: - if (frame.payloadLength >= 2) { + if (!frame.payloadLength) + m_closeEventCode = CloseEventCodeNoStatusRcvd; + else if (frame.payloadLength == 1) { + m_closeEventCode = CloseEventCodeAbnormalClosure; + fail("Received a broken close frame containing an invalid size body."); + return false; + } else { unsigned char highByte = static_cast<unsigned char>(frame.payload[0]); unsigned char lowByte = static_cast<unsigned char>(frame.payload[1]); m_closeEventCode = highByte << 8 | lowByte; - } else - m_closeEventCode = CloseEventCodeNoStatusRcvd; + if (m_closeEventCode == CloseEventCodeNoStatusRcvd || m_closeEventCode == CloseEventCodeAbnormalClosure || m_closeEventCode == CloseEventCodeTLSHandshake) { + m_closeEventCode = CloseEventCodeAbnormalClosure; + fail("Received a broken close frame containing a reserved status code."); + return false; + } + } if (frame.payloadLength >= 3) m_closeEventReason = String::fromUTF8(&frame.payload[2], frame.payloadLength - 2); else |