File libsoup-CVE-2026-0716.patch of Package libsoup
From 149750d7350c1d25b00bdb8355ad58d3864f902b Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Sun, 11 Jan 2026 10:52:14 -0600
Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
If the maximum incoming payload size is unset, then a malicious frame could
cause an overflow when calculating the needed amount of data, leading to an
out-of-bounds read later.
This is CVE-2026-0716.
Closes #476
---
libsoup/websocket/soup-websocket-connection.c | 8 +++-
tests/websocket-test.c | 44 +++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
index 30df9841..42867be3 100644
--- a/libsoup/websocket/soup-websocket-connection.c
+++ b/libsoup/websocket/soup-websocket-connection.c
@@ -1028,6 +1028,7 @@ process_frame (SoupWebsocketConnection *self)
guint8 opcode;
gsize len;
gsize at;
+ gsize required;
GBytes *filtered_bytes;
GList *l;
GError *error = NULL;
@@ -1123,7 +1124,12 @@ process_frame (SoupWebsocketConnection *self)
payload += 4;
at += 4;
- if (len < at + payload_len)
+ if (!g_size_checked_add (&required, (gsize) at, (gsize) payload_len)) {
+ bad_data_error_and_close (self);
+ return FALSE;
+ }
+
+ if (len < required)
return FALSE; /* need more data */
xor_with_mask (mask, payload, payload_len);
diff --git a/tests/websocket-test.c b/tests/websocket-test.c
index 194b966a..e887091d 100644
--- a/tests/websocket-test.c
+++ b/tests/websocket-test.c
@@ -2215,6 +2215,41 @@ test_connection_error (void)
soup_test_session_abort_unref (session);
}
+static void
+test_cve_2026_0716 (Test *test,
+ gconstpointer unused)
+{
+ GError *error = NULL;
+ GIOStream *io;
+ gsize written;
+ const char *frame;
+ gboolean close_event = FALSE;
+
+ g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
+ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
+ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
+
+ io = soup_websocket_connection_get_io_stream (test->client);
+
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
+
+ // Malicious masked frame header (10-byte header + 4-byte mask) */
+ frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
+ if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
+ frame, 14, &written, NULL, NULL))
+ g_assert_cmpstr ("This code", ==, "should not be reached");
+ g_assert_cmpuint (written, ==, 14);
+
+ WAIT_UNTIL (error != NULL);
+ g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+ g_clear_error (&error);
+
+ WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
+ g_assert_true (close_event);
+
+ g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
+}
+
int
main (int argc,
char *argv[])
@@ -2465,6 +2500,15 @@ main (int argc,
g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
+ setup_direct_connection,
+ test_cve_2026_0716,
+ teardown_direct_connection);
+ g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
+ setup_soup_connection,
+ test_cve_2026_0716,
+ teardown_soup_connection);
+
ret = g_test_run ();
test_cleanup ();
--
GitLab
