libsoup WebSocket Out-of-Bounds Read Vulnerability

A vulnerability exists in libsoup's WebSocket frame processing, specifically in the 'process_frame()' function of 'SoupWebSocketConnection'. When the 'max_incoming_payload_size' is set to 0 or left unset, the library can read memory beyond its intended limits. This flaw can lead to unintended memory exposure or cause the application to crash. The vulnerability requires a non-default configuration and can be exploited by a remote attacker sending crafted WebSocket frames.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, leading to a segmentation fault and a crash. However, such out-of-bounds reads can often be exploited to disclose sensitive information or manipulate memory, potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a WebSocket server connection with 'max_incoming_payload_size' set to 0. When a crafted masked frame is sent, the 'process_frame()' function will read beyond the allocated buffer, causing an out-of-bounds read. This can be done using a C program that utilizes the libsoup library, with the AddressSanitizer enabled to detect the memory access violation.

Remediation

To address this vulnerability, ensure that 'max_incoming_payload_size' is set to a non-zero value in applications using libsoup's WebSocket support. This will prevent out-of-bounds reads by ensuring the library does not process WebSocket frames with an unset or zero maximum payload size.