1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/websockets/websocket_frame_parser.h"
6
7#include <algorithm>
8#include <limits>
9
10#include "base/basictypes.h"
11#include "base/logging.h"
12#include "base/memory/ref_counted.h"
13#include "base/memory/scoped_ptr.h"
14#include "base/memory/scoped_vector.h"
15#include "net/base/big_endian.h"
16#include "net/base/io_buffer.h"
17#include "net/websockets/websocket_frame.h"
18
19namespace {
20
21const uint8 kFinalBit = 0x80;
22const uint8 kReserved1Bit = 0x40;
23const uint8 kReserved2Bit = 0x20;
24const uint8 kReserved3Bit = 0x10;
25const uint8 kOpCodeMask = 0xF;
26const uint8 kMaskBit = 0x80;
27const uint8 kPayloadLengthMask = 0x7F;
28const uint64 kMaxPayloadLengthWithoutExtendedLengthField = 125;
29const uint64 kPayloadLengthWithTwoByteExtendedLengthField = 126;
30const uint64 kPayloadLengthWithEightByteExtendedLengthField = 127;
31
32}  // Unnamed namespace.
33
34namespace net {
35
36WebSocketFrameParser::WebSocketFrameParser()
37    : current_read_pos_(0),
38      frame_offset_(0),
39      websocket_error_(kWebSocketNormalClosure) {
40  std::fill(masking_key_.key,
41            masking_key_.key + WebSocketFrameHeader::kMaskingKeyLength,
42            '\0');
43}
44
45WebSocketFrameParser::~WebSocketFrameParser() {}
46
47bool WebSocketFrameParser::Decode(
48    const char* data,
49    size_t length,
50    ScopedVector<WebSocketFrameChunk>* frame_chunks) {
51  if (websocket_error_ != kWebSocketNormalClosure)
52    return false;
53  if (!length)
54    return true;
55
56  // TODO(yutak): Remove copy.
57  buffer_.insert(buffer_.end(), data, data + length);
58
59  while (current_read_pos_ < buffer_.size()) {
60    bool first_chunk = false;
61    if (!current_frame_header_.get()) {
62      DecodeFrameHeader();
63      if (websocket_error_ != kWebSocketNormalClosure)
64        return false;
65      // If frame header is incomplete, then carry over the remaining
66      // data to the next round of Decode().
67      if (!current_frame_header_.get())
68        break;
69      first_chunk = true;
70    }
71
72    scoped_ptr<WebSocketFrameChunk> frame_chunk =
73        DecodeFramePayload(first_chunk);
74    DCHECK(frame_chunk.get());
75    frame_chunks->push_back(frame_chunk.release());
76
77    if (current_frame_header_.get()) {
78      DCHECK(current_read_pos_ == buffer_.size());
79      break;
80    }
81  }
82
83  // Drain unnecessary data. TODO(yutak): Remove copy. (but how?)
84  buffer_.erase(buffer_.begin(), buffer_.begin() + current_read_pos_);
85  current_read_pos_ = 0;
86
87  // Sanity check: the size of carried-over data should not exceed
88  // the maximum possible length of a frame header.
89  static const size_t kMaximumFrameHeaderSize =
90      WebSocketFrameHeader::kBaseHeaderSize +
91      WebSocketFrameHeader::kMaximumExtendedLengthSize +
92      WebSocketFrameHeader::kMaskingKeyLength;
93  DCHECK_LT(buffer_.size(), kMaximumFrameHeaderSize);
94
95  return true;
96}
97
98void WebSocketFrameParser::DecodeFrameHeader() {
99  typedef WebSocketFrameHeader::OpCode OpCode;
100  static const int kMaskingKeyLength = WebSocketFrameHeader::kMaskingKeyLength;
101
102  DCHECK(!current_frame_header_.get());
103
104  const char* start = &buffer_.front() + current_read_pos_;
105  const char* current = start;
106  const char* end = &buffer_.front() + buffer_.size();
107
108  // Header needs 2 bytes at minimum.
109  if (end - current < 2)
110    return;
111
112  uint8 first_byte = *current++;
113  uint8 second_byte = *current++;
114
115  bool final = (first_byte & kFinalBit) != 0;
116  bool reserved1 = (first_byte & kReserved1Bit) != 0;
117  bool reserved2 = (first_byte & kReserved2Bit) != 0;
118  bool reserved3 = (first_byte & kReserved3Bit) != 0;
119  OpCode opcode = first_byte & kOpCodeMask;
120
121  bool masked = (second_byte & kMaskBit) != 0;
122  uint64 payload_length = second_byte & kPayloadLengthMask;
123  if (payload_length == kPayloadLengthWithTwoByteExtendedLengthField) {
124    if (end - current < 2)
125      return;
126    uint16 payload_length_16;
127    ReadBigEndian(current, &payload_length_16);
128    current += 2;
129    payload_length = payload_length_16;
130    if (payload_length <= kMaxPayloadLengthWithoutExtendedLengthField)
131      websocket_error_ = kWebSocketErrorProtocolError;
132  } else if (payload_length == kPayloadLengthWithEightByteExtendedLengthField) {
133    if (end - current < 8)
134      return;
135    ReadBigEndian(current, &payload_length);
136    current += 8;
137    if (payload_length <= kuint16max ||
138        payload_length > static_cast<uint64>(kint64max)) {
139      websocket_error_ = kWebSocketErrorProtocolError;
140    } else if (payload_length > static_cast<uint64>(kint32max)) {
141      websocket_error_ = kWebSocketErrorMessageTooBig;
142    }
143  }
144  if (websocket_error_ != kWebSocketNormalClosure) {
145    buffer_.clear();
146    current_read_pos_ = 0;
147    current_frame_header_.reset();
148    frame_offset_ = 0;
149    return;
150  }
151
152  if (masked) {
153    if (end - current < kMaskingKeyLength)
154      return;
155    std::copy(current, current + kMaskingKeyLength, masking_key_.key);
156    current += kMaskingKeyLength;
157  } else {
158    std::fill(masking_key_.key, masking_key_.key + kMaskingKeyLength, '\0');
159  }
160
161  current_frame_header_.reset(new WebSocketFrameHeader(opcode));
162  current_frame_header_->final = final;
163  current_frame_header_->reserved1 = reserved1;
164  current_frame_header_->reserved2 = reserved2;
165  current_frame_header_->reserved3 = reserved3;
166  current_frame_header_->masked = masked;
167  current_frame_header_->payload_length = payload_length;
168  current_read_pos_ += current - start;
169  DCHECK_EQ(0u, frame_offset_);
170}
171
172scoped_ptr<WebSocketFrameChunk> WebSocketFrameParser::DecodeFramePayload(
173    bool first_chunk) {
174  const char* current = &buffer_.front() + current_read_pos_;
175  const char* end = &buffer_.front() + buffer_.size();
176  uint64 next_size = std::min<uint64>(
177      end - current, current_frame_header_->payload_length - frame_offset_);
178  // This check must pass because |payload_length| is already checked to be
179  // less than std::numeric_limits<int>::max() when the header is parsed.
180  DCHECK_LE(next_size, static_cast<uint64>(kint32max));
181
182  scoped_ptr<WebSocketFrameChunk> frame_chunk(new WebSocketFrameChunk);
183  if (first_chunk) {
184    frame_chunk->header = current_frame_header_->Clone();
185  }
186  frame_chunk->final_chunk = false;
187  if (next_size) {
188    frame_chunk->data = new IOBufferWithSize(static_cast<int>(next_size));
189    char* io_data = frame_chunk->data->data();
190    memcpy(io_data, current, next_size);
191    if (current_frame_header_->masked) {
192      // The masking function is its own inverse, so we use the same function to
193      // unmask as to mask.
194      MaskWebSocketFramePayload(
195          masking_key_, frame_offset_, io_data, next_size);
196    }
197
198    current_read_pos_ += next_size;
199    frame_offset_ += next_size;
200  }
201
202  DCHECK_LE(frame_offset_, current_frame_header_->payload_length);
203  if (frame_offset_ == current_frame_header_->payload_length) {
204    frame_chunk->final_chunk = true;
205    current_frame_header_.reset();
206    frame_offset_ = 0;
207  }
208
209  return frame_chunk.Pass();
210}
211
212}  // namespace net
213