1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/websockets/websocket_frame_parser.h"
6
7 #include <algorithm>
8 #include <limits>
9 #include <utility>
10 #include <vector>
11
12 #include "base/big_endian.h"
13 #include "base/logging.h"
14 #include "base/memory/scoped_refptr.h"
15 #include "net/base/io_buffer.h"
16 #include "net/websockets/websocket_frame.h"
17
18 namespace {
19
20 const uint8_t kFinalBit = 0x80;
21 const uint8_t kReserved1Bit = 0x40;
22 const uint8_t kReserved2Bit = 0x20;
23 const uint8_t kReserved3Bit = 0x10;
24 const uint8_t kOpCodeMask = 0xF;
25 const uint8_t kMaskBit = 0x80;
26 const uint8_t kPayloadLengthMask = 0x7F;
27 const uint64_t kMaxPayloadLengthWithoutExtendedLengthField = 125;
28 const uint64_t kPayloadLengthWithTwoByteExtendedLengthField = 126;
29 const uint64_t kPayloadLengthWithEightByteExtendedLengthField = 127;
30 const size_t kMaximumFrameHeaderSize =
31 net::WebSocketFrameHeader::kBaseHeaderSize +
32 net::WebSocketFrameHeader::kMaximumExtendedLengthSize +
33 net::WebSocketFrameHeader::kMaskingKeyLength;
34
35 } // namespace.
36
37 namespace net {
38
39 WebSocketFrameParser::WebSocketFrameParser() = default;
40
41 WebSocketFrameParser::~WebSocketFrameParser() = default;
42
Decode(const char * data,size_t length,std::vector<std::unique_ptr<WebSocketFrameChunk>> * frame_chunks)43 bool WebSocketFrameParser::Decode(
44 const char* data,
45 size_t length,
46 std::vector<std::unique_ptr<WebSocketFrameChunk>>* frame_chunks) {
47 if (websocket_error_ != kWebSocketNormalClosure)
48 return false;
49 if (!length)
50 return true;
51
52 base::span<const char> data_span = base::make_span(data, length);
53 // If we have incomplete frame header, try to decode a header combining with
54 // |data|.
55 bool first_chunk = false;
56 if (incomplete_header_buffer_.size() > 0) {
57 DCHECK(!current_frame_header_.get());
58 const size_t original_size = incomplete_header_buffer_.size();
59 DCHECK_LE(original_size, kMaximumFrameHeaderSize);
60 incomplete_header_buffer_.insert(
61 incomplete_header_buffer_.end(), data,
62 data + std::min(length, kMaximumFrameHeaderSize - original_size));
63 const size_t consumed = DecodeFrameHeader(incomplete_header_buffer_);
64 if (websocket_error_ != kWebSocketNormalClosure)
65 return false;
66 if (!current_frame_header_.get())
67 return true;
68
69 DCHECK_GE(consumed, original_size);
70 data_span = data_span.subspan(consumed - original_size);
71 incomplete_header_buffer_.clear();
72 first_chunk = true;
73 }
74
75 DCHECK(incomplete_header_buffer_.empty());
76 while (data_span.size() > 0 || first_chunk) {
77 if (!current_frame_header_.get()) {
78 const size_t consumed = DecodeFrameHeader(data_span);
79 if (websocket_error_ != kWebSocketNormalClosure)
80 return false;
81 // If frame header is incomplete, then carry over the remaining
82 // data to the next round of Decode().
83 if (!current_frame_header_.get()) {
84 DCHECK(!consumed);
85 incomplete_header_buffer_.insert(incomplete_header_buffer_.end(),
86 data_span.data(),
87 data_span.data() + data_span.size());
88 // Sanity check: the size of carried-over data should not exceed
89 // the maximum possible length of a frame header.
90 DCHECK_LT(incomplete_header_buffer_.size(), kMaximumFrameHeaderSize);
91 return true;
92 }
93 DCHECK_GE(data_span.size(), consumed);
94 data_span = data_span.subspan(consumed);
95 first_chunk = true;
96 }
97 DCHECK(incomplete_header_buffer_.empty());
98 std::unique_ptr<WebSocketFrameChunk> frame_chunk =
99 DecodeFramePayload(first_chunk, &data_span);
100 first_chunk = false;
101 DCHECK(frame_chunk.get());
102 frame_chunks->push_back(std::move(frame_chunk));
103 }
104 return true;
105 }
106
DecodeFrameHeader(base::span<const char> data)107 size_t WebSocketFrameParser::DecodeFrameHeader(base::span<const char> data) {
108 DVLOG(3) << "DecodeFrameHeader buffer size:"
109 << ", data size:" << data.size();
110 typedef WebSocketFrameHeader::OpCode OpCode;
111 DCHECK(!current_frame_header_.get());
112
113 // Header needs 2 bytes at minimum.
114 if (data.size() < 2)
115 return 0;
116 size_t current = 0;
117 const uint8_t first_byte = data[current++];
118 const uint8_t second_byte = data[current++];
119
120 const bool final = (first_byte & kFinalBit) != 0;
121 const bool reserved1 = (first_byte & kReserved1Bit) != 0;
122 const bool reserved2 = (first_byte & kReserved2Bit) != 0;
123 const bool reserved3 = (first_byte & kReserved3Bit) != 0;
124 const OpCode opcode = first_byte & kOpCodeMask;
125
126 uint64_t payload_length = second_byte & kPayloadLengthMask;
127 if (payload_length == kPayloadLengthWithTwoByteExtendedLengthField) {
128 if (data.size() < current + 2)
129 return 0;
130 uint16_t payload_length_16;
131 base::ReadBigEndian(reinterpret_cast<const uint8_t*>(&data[current]),
132 &payload_length_16);
133 current += 2;
134 payload_length = payload_length_16;
135 if (payload_length <= kMaxPayloadLengthWithoutExtendedLengthField) {
136 websocket_error_ = kWebSocketErrorProtocolError;
137 return 0;
138 }
139 } else if (payload_length == kPayloadLengthWithEightByteExtendedLengthField) {
140 if (data.size() < current + 8)
141 return 0;
142 base::ReadBigEndian(reinterpret_cast<const uint8_t*>(&data[current]),
143 &payload_length);
144 current += 8;
145 if (payload_length <= UINT16_MAX ||
146 payload_length > static_cast<uint64_t>(INT64_MAX)) {
147 websocket_error_ = kWebSocketErrorProtocolError;
148 return 0;
149 }
150 if (payload_length > static_cast<uint64_t>(INT32_MAX)) {
151 websocket_error_ = kWebSocketErrorMessageTooBig;
152 return 0;
153 }
154 }
155 DCHECK_EQ(websocket_error_, kWebSocketNormalClosure);
156
157 WebSocketMaskingKey masking_key = {};
158 const bool masked = (second_byte & kMaskBit) != 0;
159 static const int kMaskingKeyLength = WebSocketFrameHeader::kMaskingKeyLength;
160 if (masked) {
161 if (data.size() < current + kMaskingKeyLength)
162 return 0;
163 std::copy(&data[current], &data[current] + kMaskingKeyLength,
164 masking_key.key);
165 current += kMaskingKeyLength;
166 }
167
168 current_frame_header_ = std::make_unique<WebSocketFrameHeader>(opcode);
169 current_frame_header_->final = final;
170 current_frame_header_->reserved1 = reserved1;
171 current_frame_header_->reserved2 = reserved2;
172 current_frame_header_->reserved3 = reserved3;
173 current_frame_header_->masked = masked;
174 current_frame_header_->masking_key = masking_key;
175 current_frame_header_->payload_length = payload_length;
176 DCHECK_EQ(0u, frame_offset_);
177 return current;
178 }
179
DecodeFramePayload(bool first_chunk,base::span<const char> * data)180 std::unique_ptr<WebSocketFrameChunk> WebSocketFrameParser::DecodeFramePayload(
181 bool first_chunk,
182 base::span<const char>* data) {
183 // The cast here is safe because |payload_length| is already checked to be
184 // less than std::numeric_limits<int>::max() when the header is parsed.
185 const int chunk_data_size = static_cast<int>(
186 std::min(static_cast<uint64_t>(data->size()),
187 current_frame_header_->payload_length - frame_offset_));
188
189 auto frame_chunk = std::make_unique<WebSocketFrameChunk>();
190 if (first_chunk) {
191 frame_chunk->header = current_frame_header_->Clone();
192 }
193 frame_chunk->final_chunk = false;
194 if (chunk_data_size > 0) {
195 frame_chunk->payload = data->subspan(0, chunk_data_size);
196 *data = data->subspan(chunk_data_size);
197 frame_offset_ += chunk_data_size;
198 }
199
200 DCHECK_LE(frame_offset_, current_frame_header_->payload_length);
201 if (frame_offset_ == current_frame_header_->payload_length) {
202 frame_chunk->final_chunk = true;
203 current_frame_header_.reset();
204 frame_offset_ = 0;
205 }
206
207 return frame_chunk;
208 }
209
210 } // namespace net
211