From 269a583330695d1418a4f5578f7169350b2e1332 Mon Sep 17 00:00:00 2001
From: Julien Viet <julien@julienviet.com>
Date: Thu, 20 Sep 2018 09:36:28 +0200
Subject: [PATCH] CVE-2018-12541: When a WebSocket upgrade has a body > 8192
 send an appropriate response immediately and close the connection afterward.
 - fixes #2648

---
 .../vertx/core/http/impl/HttpServerImpl.java   | 18 +++++++++++++++++-
 .../java/io/vertx/test/core/WebsocketTest.java | 17 +++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java b/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java
index 69027b56e69..115a843d4bb 100644
--- a/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java
+++ b/src/main/java/io/vertx/core/http/impl/HttpServerImpl.java
@@ -694,7 +694,23 @@ protected void handleMessage(Http1xServerConnection conn, ContextImpl context, C
         }
       } else if (msg instanceof HttpContent) {
         if (wsRequest != null) {
-          wsRequest.content().writeBytes(((HttpContent) msg).content());
+          ByteBuf content = wsRequest.content();
+          boolean overflow = content.readableBytes() > 8192;
+          content.writeBytes(((HttpContent) msg).content());
+          if (content.readableBytes() > 8192) {
+            if (!overflow) {
+              FullHttpResponse resp = new DefaultFullHttpResponse(
+                io.netty.handler.codec.http.HttpVersion.HTTP_1_1,
+                HttpResponseStatus.REQUEST_ENTITY_TOO_LARGE
+              );
+              chctx.writeAndFlush(resp);
+              chctx.close();
+            }
+            if (msg instanceof LastHttpContent) {
+              wsRequest = null;
+              return;
+            }
+          }
           if (msg instanceof LastHttpContent) {
             FullHttpRequest req = wsRequest;
             wsRequest = null;
diff --git a/src/test/java/io/vertx/test/core/WebsocketTest.java b/src/test/java/io/vertx/test/core/WebsocketTest.java
index 3787b0a1764..cb4b8518ffc 100644
--- a/src/test/java/io/vertx/test/core/WebsocketTest.java
+++ b/src/test/java/io/vertx/test/core/WebsocketTest.java
@@ -1056,6 +1056,23 @@ private void testReject(WebsocketVersion version, Integer rejectionStatus, int e
     await();
   }
 
+  @Test
+  public void testRequestEntityTooLarge() {
+    String path = "/some/path";
+    server = vertx.createHttpServer(new HttpServerOptions().setPort(DEFAULT_HTTP_PORT)).websocketHandler(ws -> fail());
+    server.listen(onSuccess(ar -> {
+      client.get(DEFAULT_HTTP_PORT, HttpTestBase.DEFAULT_HTTPS_HOST, path, resp -> {
+        assertEquals(413, resp.statusCode());
+        resp.request().connection().closeHandler(v -> {
+          testComplete();
+        });
+      }).putHeader("Upgrade", "Websocket")
+        .putHeader("Connection", "Upgrade")
+        .end(TestUtils.randomBuffer(8192 + 1));
+    }));
+    await();
+  }
+
   @Test
   public void testWriteMessageHybi00() {
     testWriteMessage(256, WebsocketVersion.V00);