Fix Address Sanitizer heap-buffer-overflow in WebSocketHandshakeKeyGen::generate

================================================================= ==5077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000077e0 at pc 0x00010ba18c54 bp 0x70000dd45b10 sp 0x70000dd45b08 READ of size 1 at 0x6070000077e0 thread T12 #0 0x10ba18c53 in WebSocketHandshakeKeyGen::generate(char const*, char*) libwshandshake.hpp:113 #1 0x10ba2065a in ix::WebSocketHandshake::serverHandshake(int, int) IXWebSocketHandshake.cpp:356 #2 0x10b9c4952 in ix::WebSocketTransport::connectToSocket(int, int) IXWebSocketTransport.cpp:190 #3 0x10b97e4c2 in ix::WebSocket::connectToSocket(int, int) IXWebSocket.cpp:193
2019-05-16 21:58:04 -07:00 · 2019-05-16 21:58:04 -07:00 · 720d5593a5
commit 720d5593a5
parent 13fa325134
2 changed files with 9 additions and 3 deletions
--- a/ixwebsocket/IXWebSocketHandshake.cpp
+++ b/ixwebsocket/IXWebSocketHandshake.cpp
@ -242,7 +242,7 @@ namespace ix
        }

        char output[29] = {};
-        WebSocketHandshakeKeyGen::generate(secWebSocketKey.c_str(), output);
+        WebSocketHandshakeKeyGen::generate(secWebSocketKey, output);
        if (std::string(output) != headers["sec-websocket-accept"])
        {
            std::string errorMsg("Invalid Sec-WebSocket-Accept value");
@ -348,7 +348,7 @@ namespace ix
        }

        char output[29] = {};
-        WebSocketHandshakeKeyGen::generate(headers["sec-websocket-key"].c_str(), output);
+        WebSocketHandshakeKeyGen::generate(headers["sec-websocket-key"], output);

        std::stringstream ss;
        ss << "HTTP/1.1 101 Switching Protocols\r\n";
--- a/ixwebsocket/libwshandshake.hpp
+++ b/ixwebsocket/libwshandshake.hpp
@ -20,6 +20,7 @@

 #include <cstdint>
 #include <cstddef>
+#include <string>

 class WebSocketHandshakeKeyGen {
    template <int N, typename T>
@ -100,7 +101,12 @@ class WebSocketHandshakeKeyGen {
    }

 public:
-    static inline void generate(const char input[24], char output[28]) {
+    static inline void generate(const std::string& inputStr, char output[28]) {
+
+        char input[25] = {};
+        strncpy(input, inputStr.c_str(), 25 - 1);
+        input[25 - 1] = '\0';
+
        uint32_t b_output[5] = {
            0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0
        };