commit 9666e1d43869fe0eafa8047ff5925d31c8042582
author Andy Green <andy.green@linaro.org> Thu Jan 21 10:54:14 2016 +0800
committer Andy Green <andy.green@linaro.org> Thu Jan 21 10:59:07 2016 +0800
tree 370cb98af6e7f2cc49ae21c48078686035f6c89e
parent 5a0e7866d387523275bdcc12d6ff9f101d8b26f7

fuzzer handle junk after upgrade header

Signed-off-by: Andy Green <andy.green@linaro.org>

lib/server.c

diff --git a/lib/server.c b/lib/server.c
index 036c876..aeb5f8e 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -327,6 +327,9 @@
 	/* LWSCM_WS_SERVING */
 
 	while (len--) {
+
+		assert(wsi->mode == LWSCM_HTTP_SERVING);
+
 		if (lws_parse(wsi, *(*buf)++)) {
 			lwsl_info("lws_parse failed\n");
 			goto bail_nuke_ah;
@@ -342,34 +345,40 @@
 
 		/* is this websocket protocol or normal http 1.0? */
 
-		if (!lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE) ||
-		    !lws_hdr_total_length(wsi, WSI_TOKEN_CONNECTION)) {
-
-			ah = wsi->u.hdr.ah;
-
-			lws_union_transition(wsi, LWSCM_HTTP_SERVING_ACCEPTED);
-			wsi->state = LWSS_HTTP;
-			wsi->u.http.fd = LWS_INVALID_FILE;
-
-			/* expose it at the same offset as u.hdr */
-			wsi->u.http.ah = ah;
-			lwsl_debug("%s: wsi %p: ah %p\n", __func__, (void *)wsi, (void *)wsi->u.hdr.ah);
-
-			n = lws_http_action(wsi);
-
-			return n;
+		if (lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE)) {
+			if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
+					"websocket")) {
+				lwsl_info("Upgrade to ws\n");
+				goto upgrade_ws;
+			}
+#ifdef LWS_USE_HTTP2
+			if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
+					"h2c-14")) {
+				lwsl_info("Upgrade to h2c-14\n");
+				goto upgrade_h2c;
+			}
+#endif
+			lwsl_err("Unknown upgrade\n");
+			/* dunno what he wanted to upgrade to */
+			goto bail_nuke_ah;
 		}
 
-		if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
-				"websocket"))
-			goto upgrade_ws;
-#ifdef LWS_USE_HTTP2
-		if (!strcasecmp(lws_hdr_simple_ptr(wsi, WSI_TOKEN_UPGRADE),
-								"h2c-14"))
-			goto upgrade_h2c;
-#endif
-		/* dunno what he wanted to upgrade to */
-		goto bail_nuke_ah;
+		/* no upgrade ack... he remained as HTTP */
+
+		lwsl_info("No upgrade\n");
+		ah = wsi->u.hdr.ah;
+
+		lws_union_transition(wsi, LWSCM_HTTP_SERVING_ACCEPTED);
+		wsi->state = LWSS_HTTP;
+		wsi->u.http.fd = LWS_INVALID_FILE;
+
+		/* expose it at the same offset as u.hdr */
+		wsi->u.http.ah = ah;
+		lwsl_debug("%s: wsi %p: ah %p\n", __func__, (void *)wsi, (void *)wsi->u.hdr.ah);
+
+		n = lws_http_action(wsi);
+
+		return n;
 
 #ifdef LWS_USE_HTTP2
 upgrade_h2c:
@@ -554,8 +563,9 @@
 			return 1;
 		}
 #endif
-		lwsl_parser("accepted v%02d connection\n",
-						       wsi->ietf_spec_revision);
+		lwsl_parser("accepted v%02d connection\n", wsi->ietf_spec_revision);
+
+		return 0;
 	} /* while all chars are handled */
 
 	return 0;