CVE-2018-21035 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21035
In the websocket protocol, a websocket message can be composed a several websocket frame that are later reassembled. The Qt websocket implementation accepts a frame of maximum 2^31-2 bytes (why -2 ?).
This number is really huge. An attacker could make a lots of websocket connection, and sending partial messages containing frames (or partial frame) of a huge size. It could continue until he will exhaust all the virtual memory of the process running websocket (a server or a client). This will result in a crash and will cause a denial of service.
This is really easy to achieve.
Currently a qwebsocket class user cannot do anything against this, as the only signals of the class for received data are:
So signals are only emitted when a frame is fully received, therefore this attack is possible.
A possible solution would be to make the maximum frame/message size, a modifiable class parameter.
Another solution could be to add a signal to the class, void dataReceived(quint64 bytesReceived); that would be triggered, every time some data are received, this would allow to discard large frame/msgs.
|For Gerrit Dashboard: QTBUG-70693|
|284735,16||Add a public api to set max frame and message size (CVE-2018-21035)||5.15||qt/qtwebsockets||Status: MERGED||+2||0|