Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.11.2, 5.12.1, 5.12.4, 5.13.0, 5.14.1, 5.15
-
None
-
All
-
ed93680f34e92ad0383aa4e610bb65689118ca93
Description
CVE-2018-21035 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21035
In the websocket protocol, a websocket message can be composed a several websocket frame that are later reassembled. The Qt websocket implementation accepts a frame of maximum 2^31-2 bytes (why -2 ?).
//qwebsocketframe_p.h const quint64 MAX_FRAME_SIZE_IN_BYTES = INT_MAX - 1; const quint64 MAX_MESSAGE_SIZE_IN_BYTES = INT_MAX - 1;
This number is really huge. An attacker could make a lots of websocket connection, and sending partial messages containing frames (or partial frame) of a huge size. It could continue until he will exhaust all the virtual memory of the process running websocket (a server or a client). This will result in a crash and will cause a denial of service.
This is really easy to achieve.
Currently a qwebsocket class user cannot do anything against this, as the only signals of the class for received data are:
void textFrameReceived(const QString &frame, bool isLastFrame);
void binaryFrameReceived(const QByteArray &frame, bool isLastFrame);
void textMessageReceived(const QString &message);
void binaryMessageReceived(const QByteArray &message);
So signals are only emitted when a frame is fully received, therefore this attack is possible.
A possible solution would be to make the maximum frame/message size, a modifiable class parameter.
Another solution could be to add a signal to the class, void dataReceived(quint64 bytesReceived); that would be triggered, every time some data are received, this would allow to discard large frame/msgs.
Attachments
| For Gerrit Dashboard: QTBUG-70693 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 284735,16 | Add a public api to set max frame and message size (CVE-2018-21035) | 5.15 | qt/qtwebsockets | Status: MERGED | +2 | 0 |