Warmcat Libwebsockets WebSocket Server Use-After-Free Vulnerability Allowing Denial-of-Service

A use-after-free vulnerability has been identified in the WebSocket server implementation of Warmcat Libwebsockets version 4.4. This vulnerability may allow an attacker to cause a denial-of-service condition, but only under specific configurations where the user provides a callback function to handle 'LWS_CALLBACK_HTTP_CONFIRM_UPGRADE'. The issue arises in the 'lws_handshake_server' function when the upgrade header is invalid. The function frees certain data in the WebSocket instance structure and then improperly uses a pointer to the freed data in subsequent operations, creating the potential for exploitation.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the application to become unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by compiling a minimal WebSocket server using Warmcat Libwebsockets version 4.4, with the AddressSanitizer enabled to detect memory management issues. The server must be configured to use a callback function that handles 'LWS_CALLBACK_HTTP_CONFIRM_UPGRADE', while improperly managing the length of the upgrade header. When a WebSocket upgrade request with an invalid header is received, the server will trigger the use-after-free vulnerability, allowing for denial-of-service exploitation.

Remediation

The vulnerability can be addressed by modifying the 'lws_handshake_server' function to ensure that the code handling the upgrade confirmation is only executed when the upgrade header is valid. This can be done by enclosing the relevant code in an 'else' branch, preventing the use of freed data.