net: websocket: Revise generation of Sec-WebSocket-Accept header
This removes some tricky math to calculate lengths and offsets,
ensuring that, when appending the WebSocket UUID to the handshake
key, the key_accept buffer won't overflow.
Coverity-ID: 183057
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
diff --git a/subsys/net/lib/websocket/websocket.c b/subsys/net/lib/websocket/websocket.c
index 5a3874e..b3a445a 100644
--- a/subsys/net/lib/websocket/websocket.c
+++ b/subsys/net/lib/websocket/websocket.c
@@ -354,6 +354,7 @@
struct net_pkt *pkt;
char tmp[64];
int ret;
+ size_t key_len;
size_t olen;
pkt = net_app_get_net_pkt_with_dst(&ctx->app_ctx,
@@ -368,20 +369,15 @@
goto fail;
}
- olen = min(sizeof(key_accept) - 1,
- ctx->http.field_values[ws_sec_key].value_len);
- strncpy(key_accept, ctx->http.field_values[ws_sec_key].value, olen);
+ key_len = min(sizeof(key_accept) - 1,
+ ctx->http.field_values[ws_sec_key].value_len);
+ strncpy(key_accept, ctx->http.field_values[ws_sec_key].value,
+ key_len);
- olen = min(sizeof(key_accept) - 1 -
- ctx->http.field_values[ws_sec_key].value_len,
- sizeof(WS_MAGIC) - 1);
- strncpy(key_accept + ctx->http.field_values[ws_sec_key].value_len,
- WS_MAGIC, olen);
+ olen = min(sizeof(key_accept) - 1 - key_len, sizeof(WS_MAGIC) - 1);
+ strncpy(key_accept + key_len, WS_MAGIC, olen);
- olen = ctx->http.field_values[ws_sec_key].value_len +
- sizeof(WS_MAGIC) - 1;
-
- mbedtls_sha1(key_accept, olen, accept);
+ mbedtls_sha1(key_accept, olen + key_len, accept);
ret = base64_encode(tmp, sizeof(tmp) - 1, &olen, accept,
sizeof(accept));
