CVE-2018-12541: When a WebSocket upgrade has a body > 8192 send an ap…

…propriate response immediately and close the connection afterward. - fixes #2648
eclipse-vertx · Oct 3, 2018 · 269a583 · 269a583
1 parent 616a034
commit 269a583
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java b/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java
@@ -694,7 +694,23 @@ protected void handleMessage(Http1xServerConnection conn, ContextImpl context, C
         }
       } else if (msg instanceof HttpContent) {
         if (wsRequest != null) {
-          wsRequest.content().writeBytes(((HttpContent) msg).content());
+          ByteBuf content = wsRequest.content();
+          boolean overflow = content.readableBytes() > 8192;
+          content.writeBytes(((HttpContent) msg).content());
+          if (content.readableBytes() > 8192) {
+            if (!overflow) {
+              FullHttpResponse resp = new DefaultFullHttpResponse(
+                io.netty.handler.codec.http.HttpVersion.HTTP_1_1,
+                HttpResponseStatus.REQUEST_ENTITY_TOO_LARGE
+              );
+              chctx.writeAndFlush(resp);
+              chctx.close();
+            }
+            if (msg instanceof LastHttpContent) {
+              wsRequest = null;
+              return;
+            }
+          }
           if (msg instanceof LastHttpContent) {
             FullHttpRequest req = wsRequest;
             wsRequest = null;

diff --git a/src/test/java/io/vertx/test/core/WebsocketTest.java b/src/test/java/io/vertx/test/core/WebsocketTest.java
@@ -1056,6 +1056,23 @@ private void testReject(WebsocketVersion version, Integer rejectionStatus, int e
     await();
   }
 
+  @Test
+  public void testRequestEntityTooLarge() {
+    String path = "/some/path";
+    server = vertx.createHttpServer(new HttpServerOptions().setPort(DEFAULT_HTTP_PORT)).websocketHandler(ws -> fail());
+    server.listen(onSuccess(ar -> {
+      client.get(DEFAULT_HTTP_PORT, HttpTestBase.DEFAULT_HTTPS_HOST, path, resp -> {
+        assertEquals(413, resp.statusCode());
+        resp.request().connection().closeHandler(v -> {
+          testComplete();
+        });
+      }).putHeader("Upgrade", "Websocket")
+        .putHeader("Connection", "Upgrade")
+        .end(TestUtils.randomBuffer(8192 + 1));
+    }));
+    await();
+  }
+
   @Test
   public void testWriteMessageHybi00() {
     testWriteMessage(256, WebsocketVersion.V00);