Blob Blame History Raw
Backport of:
From aac95a9dcf4bbba87b76c72706c3221a842ca433 Mon Sep 17 00:00:00 2001
From: Andreas Weigel <andreaswe@securepoint.de>
Date: Wed, 15 Feb 2017 12:31:05 +0100
Subject: [PATCH] fix overflow and refactor websockets decode (Hybi)

fix critical heap-based buffer overflow which allowed easy modification
of a return address via an overwritten function pointer

fix bug causing connections to fail due a "one websocket frame = one
ws_read" assumption, which failed with LibVNCServer-0.9.11

refactor websocket Hybi decode to use a simple state machine for
decoding of websocket frames

[Ubuntu note: Renamed b64_pton to __b64_pton in patch to ensure patch can be
applied.
 -- Avital]

---
 libvncserver/websockets.c | 595 +++++++++++++++++++++++++++++---------
 1 file changed, 463 insertions(+), 132 deletions(-)

--- a/libvncserver/websockets.c
+++ b/libvncserver/websockets.c
@@ -62,6 +62,9 @@
 
 #define B64LEN(__x) (((__x + 2) / 3) * 12 / 3)
 #define WSHLENMAX 14  /* 2 + sizeof(uint64_t) + sizeof(uint32_t) */
+#define WS_HYBI_MASK_LEN 4
+
+#define ARRAYSIZE(a) ((sizeof(a) / sizeof((a[0]))) / (size_t)(!(sizeof(a) % sizeof((a[0])))))
 
 enum {
   WEBSOCKETS_VERSION_HIXIE,
@@ -78,20 +81,20 @@ static int gettid() {
 typedef int (*wsEncodeFunc)(rfbClientPtr cl, const char *src, int len, char **dst);
 typedef int (*wsDecodeFunc)(rfbClientPtr cl, char *dst, int len);
 
-typedef struct ws_ctx_s {
-    char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
-	char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
-	char readbuf[8192];
-    int readbufstart;
-    int readbuflen;
-    int dblen;
-    char carryBuf[3];                      /* For base64 carry-over */
-    int carrylen;
-    int version;
-    int base64;
-    wsEncodeFunc encode;
-    wsDecodeFunc decode;
-} ws_ctx_t;
+
+enum {
+  /* header not yet received completely */
+  WS_HYBI_STATE_HEADER_PENDING,
+  /* data available */
+  WS_HYBI_STATE_DATA_AVAILABLE,
+  WS_HYBI_STATE_DATA_NEEDED,
+  /* received a complete frame */
+  WS_HYBI_STATE_FRAME_COMPLETE,
+  /* received part of a 'close' frame */
+  WS_HYBI_STATE_CLOSE_REASON_PENDING,
+  /* */
+  WS_HYBI_STATE_ERR
+};
 
 typedef union ws_mask_s {
   char c[4];
@@ -119,6 +122,38 @@ typedef struct __attribute__ ((__packed_
   } u;
 } ws_header_t;
 
+typedef struct ws_header_data_s {
+  ws_header_t *data;
+  /** bytes read */
+  int nRead;
+  /** mask value */
+  ws_mask_t mask;
+  /** length of frame header including payload len, but without mask */
+  int headerLen;
+  /** length of the payload data */
+  int payloadLen;
+  /** opcode */
+  unsigned char opcode;
+} ws_header_data_t;
+
+typedef struct ws_ctx_s {
+    char codeBufDecode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
+    char codeBufEncode[B64LEN(UPDATE_BUF_SIZE) + WSHLENMAX]; /* base64 + maximum frame header length */
+    char *writePos;
+    unsigned char *readPos;
+    int readlen;
+    int hybiDecodeState;
+    char carryBuf[3];                      /* For base64 carry-over */
+    int carrylen;
+    int version;
+    int base64;
+    ws_header_data_t header;
+    int nReadRaw;
+    int nToRead;
+    wsEncodeFunc encode;
+    wsDecodeFunc decode;
+} ws_ctx_t;
+
 enum
 {
     WS_OPCODE_CONTINUATION = 0x0,
@@ -179,6 +214,8 @@ static int webSocketsEncodeHixie(rfbClie
 static int webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len);
 static int webSocketsDecodeHixie(rfbClientPtr cl, char *dst, int len);
 
+static void hybiDecodeCleanup(ws_ctx_t *wsctx);
+
 static int
 min (int a, int b) {
     return a < b ? a : b;
@@ -440,10 +477,11 @@ webSocketsHandshake(rfbClientPtr cl, cha
 	wsctx->decode = webSocketsDecodeHixie;
     }
     wsctx->base64 = base64;
+    hybiDecodeCleanup(wsctx);
     cl->wsctx = (wsCtx *)wsctx;
     return TRUE;
 }
- 
+
 void
 webSocketsGenMd5(char * target, char *key1, char *key2, char *key3)
 {
@@ -635,146 +673,439 @@ webSocketsDecodeHixie(rfbClientPtr cl, c
 }
 
 static int
-webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
+hybiRemaining(ws_ctx_t *wsctx)
 {
-    char *buf, *payload;
-    uint32_t *payload32;
-    int ret = -1, result = -1;
-    int total = 0;
-    ws_mask_t mask;
-    ws_header_t *header;
-    int i;
-    unsigned char opcode;
-    ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
-    int flength, fhlen;
-    /* int fin; */ /* not used atm */ 
+  return wsctx->nToRead - wsctx->nReadRaw;
+}
 
-    /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
+static void
+hybiDecodeCleanup(ws_ctx_t *wsctx)
+{
+  wsctx->header.payloadLen = 0;
+  wsctx->header.mask.u = 0;
+  wsctx->nReadRaw = 0;
+  wsctx->nToRead= 0;
+  wsctx->carrylen = 0;
+  wsctx->readPos = (unsigned char *)wsctx->codeBufDecode;
+  wsctx->readlen = 0;
+  wsctx->hybiDecodeState = WS_HYBI_STATE_HEADER_PENDING;
+  wsctx->writePos = NULL;
+  rfbLog("cleaned up wsctx\n");
+}
 
-    if (wsctx->readbuflen) {
-      /* simply return what we have */
-      if (wsctx->readbuflen > len) {
-	memcpy(dst, wsctx->readbuf +  wsctx->readbufstart, len);
-	result = len;
-	wsctx->readbuflen -= len;
-	wsctx->readbufstart += len;
+/**
+ * Return payload data that has been decoded/unmasked from
+ * a websocket frame.
+ *
+ * @param[out]     dst destination buffer
+ * @param[in]      len bytes to copy to destination buffer
+ * @param[in,out]  wsctx internal state of decoding procedure
+ * @param[out]     number of bytes actually written to dst buffer
+ * @return next hybi decoding state
+ */
+static int
+hybiReturnData(char *dst, int len, ws_ctx_t *wsctx, int *nWritten)
+{
+  int nextState = WS_HYBI_STATE_ERR;
+
+  /* if we have something already decoded copy and return */
+  if (wsctx->readlen > 0) {
+    /* simply return what we have */
+    if (wsctx->readlen > len) {
+      rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", len, wsctx->readPos, wsctx->readlen);
+      memcpy(dst, wsctx->readPos, len);
+      *nWritten = len;
+      wsctx->readlen -= len;
+      wsctx->readPos += len;
+      nextState = WS_HYBI_STATE_DATA_AVAILABLE;
+    } else {
+      rfbLog("copy to %d bytes to dst buffer; readPos=%p, readLen=%d\n", wsctx->readlen, wsctx->readPos, wsctx->readlen);
+      memcpy(dst, wsctx->readPos, wsctx->readlen);
+      *nWritten = wsctx->readlen;
+      wsctx->readlen = 0;
+      wsctx->readPos = NULL;
+      if (hybiRemaining(wsctx) == 0) {
+        nextState = WS_HYBI_STATE_FRAME_COMPLETE;
       } else {
-	memcpy(dst, wsctx->readbuf +  wsctx->readbufstart, wsctx->readbuflen);
-	result = wsctx->readbuflen;
-	wsctx->readbuflen = 0;
-	wsctx->readbufstart = 0;
+        nextState = WS_HYBI_STATE_DATA_NEEDED;
       }
-      goto spor;
     }
+    rfbLog("after copy: readPos=%p, readLen=%d\n", wsctx->readPos, wsctx->readlen);
+  } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_CLOSE_REASON_PENDING) {
+    nextState = WS_HYBI_STATE_CLOSE_REASON_PENDING;
+  }
+  return nextState;
+}
 
-    buf = wsctx->codeBufDecode;
-    header = (ws_header_t *)wsctx->codeBufDecode;
+/**
+ * Read an RFC 6455 websocket frame (IETF hybi working group).
+ *
+ * Internal state is updated according to bytes received and the
+ * decoding of header information.
+ *
+ * @param[in]   cl client ptr with ptr to raw socket and ws_ctx_t ptr
+ * @param[out]  sockRet emulated recv return value
+ * @return next hybi decoding state; WS_HYBI_STATE_HEADER_PENDING indicates
+ *         that the header was not received completely.
+ */
+static int
+hybiReadHeader(rfbClientPtr cl, int *sockRet)
+{
+  int ret;
+  ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+  char *headerDst = wsctx->codeBufDecode + wsctx->nReadRaw;
+  int n = WSHLENMAX - wsctx->nReadRaw;
+
+  rfbLog("header_read to %p with len=%d\n", headerDst, n);
+  ret = ws_read(cl, headerDst, n);
+  rfbLog("read %d bytes from socket\n", ret);
+  if (ret <= 0) {
+    if (-1 == ret) {
+      /* save errno because rfbErr() will tamper it */
+      int olderrno = errno;
+      rfbErr("%s: peek; %m\n", __func__);
+      errno = olderrno;
+      *sockRet = -1;
+    } else {
+      *sockRet = 0;
+    }
+    return WS_HYBI_STATE_ERR;
+  }
 
-    ret = ws_peek(cl, buf, B64LEN(len) + WSHLENMAX);
+  wsctx->nReadRaw += ret;
+  if (wsctx->nReadRaw < 2) {
+    /* cannot decode header with less than two bytes */
+    errno = EAGAIN;
+    *sockRet = -1;
+    return WS_HYBI_STATE_HEADER_PENDING;
+  }
+
+  /* first two header bytes received; interpret header data and get rest */
+  wsctx->header.data = (ws_header_t *)wsctx->codeBufDecode;
+
+  wsctx->header.opcode = wsctx->header.data->b0 & 0x0f;
+
+  /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
+  wsctx->header.payloadLen = wsctx->header.data->b1 & 0x7f;
+  rfbLog("first header bytes received; opcode=%d lenbyte=%d\n", wsctx->header.opcode, wsctx->header.payloadLen);
+
+  /*
+   * 4.3. Client-to-Server Masking
+   *
+   * The client MUST mask all frames sent to the server.  A server MUST
+   * close the connection upon receiving a frame with the MASK bit set to 0.
+  **/
+  if (!(wsctx->header.data->b1 & 0x80)) {
+    rfbErr("%s: got frame without mask ret=%d\n", __func__, ret);
+    errno = EIO;
+    *sockRet = -1;
+    return WS_HYBI_STATE_ERR;
+  }
+
+  if (wsctx->header.payloadLen < 126 && wsctx->nReadRaw >= 6) {
+    wsctx->header.headerLen = 2 + WS_HYBI_MASK_LEN;
+    wsctx->header.mask = wsctx->header.data->u.m;
+  } else if (wsctx->header.payloadLen == 126 && 8 <= wsctx->nReadRaw) {
+    wsctx->header.headerLen = 4 + WS_HYBI_MASK_LEN;
+    wsctx->header.payloadLen = WS_NTOH16(wsctx->header.data->u.s16.l16);
+    wsctx->header.mask = wsctx->header.data->u.s16.m16;
+  } else if (wsctx->header.payloadLen == 127 && 14 <= wsctx->nReadRaw) {
+    wsctx->header.headerLen = 10 + WS_HYBI_MASK_LEN;
+    wsctx->header.payloadLen = WS_NTOH64(wsctx->header.data->u.s64.l64);
+    wsctx->header.mask = wsctx->header.data->u.s64.m64;
+  } else {
+    /* Incomplete frame header, try again */
+    rfbErr("%s: incomplete frame header; ret=%d\n", __func__, ret);
+    errno = EAGAIN;
+    *sockRet = -1;
+    return WS_HYBI_STATE_HEADER_PENDING;
+  }
+
+  /* absolute length of frame */
+  wsctx->nToRead = wsctx->header.headerLen + wsctx->header.payloadLen;
 
-    if (ret < 2) {
-        /* save errno because rfbErr() will tamper it */
-        if (-1 == ret) {
-            int olderrno = errno;
-            rfbErr("%s: peek; %m\n", __func__);
-            errno = olderrno;
-        } else if (0 == ret) {
-            result = 0;
-        } else {
-            errno = EAGAIN;
-        }
-        goto spor;
-    }
+  /* set payload pointer just after header */
+  wsctx->writePos = wsctx->codeBufDecode + wsctx->nReadRaw;
 
-    opcode = header->b0 & 0x0f;
-    /* fin = (header->b0 & 0x80) >> 7; */ /* not used atm */
-    flength = header->b1 & 0x7f;
+  wsctx->readPos = (unsigned char *)(wsctx->codeBufDecode + wsctx->header.headerLen);
 
-    /*
-     * 4.3. Client-to-Server Masking
-     *
-     * The client MUST mask all frames sent to the server.  A server MUST
-     * close the connection upon receiving a frame with the MASK bit set to 0.
-    **/
-    if (!(header->b1 & 0x80)) {
-	rfbErr("%s: got frame without mask\n", __func__, ret);
-	errno = EIO;
-	goto spor;
-    }
-
-    if (flength < 126) {
-	fhlen = 2;
-	mask = header->u.m;
-    } else if (flength == 126 && 4 <= ret) {
-	flength = WS_NTOH16(header->u.s16.l16);
-	fhlen = 4;
-	mask = header->u.s16.m16;
-    } else if (flength == 127 && 10 <= ret) {
-	flength = WS_NTOH64(header->u.s64.l64);
-	fhlen = 10;
-	mask = header->u.s64.m64;
-    } else {
-      /* Incomplete frame header */
-      rfbErr("%s: incomplete frame header\n", __func__, ret);
-      errno = EIO;
-      goto spor;
-    }
+  rfbLog("header complete: state=%d flen=%d writeTo=%p\n", wsctx->hybiDecodeState, wsctx->nToRead, wsctx->writePos);
+
+  return WS_HYBI_STATE_DATA_NEEDED;
+}
 
-    /* absolute length of frame */
-    total = fhlen + flength + 4;
-    payload = buf + fhlen + 4; /* header length + mask */
+static int
+hybiWsFrameComplete(ws_ctx_t *wsctx)
+{
+  return wsctx != NULL && hybiRemaining(wsctx) == 0;
+}
 
-    if (-1 == (ret = ws_read(cl, buf, total))) {
+static char *
+hybiPayloadStart(ws_ctx_t *wsctx)
+{
+  return wsctx->codeBufDecode + wsctx->header.headerLen;
+}
+
+
+/**
+ * Read the remaining payload bytes from associated raw socket.
+ *
+ *  - try to read remaining bytes from socket
+ *  - unmask all multiples of 4
+ *  - if frame incomplete but some bytes are left, these are copied to
+ *      the carry buffer
+ *  - if opcode is TEXT: Base64-decode all unmasked received bytes
+ *  - set state for reading decoded data
+ *  - reset write position to begin of buffer (+ header)
+ *      --> before we retrieve more data we let the caller clear all bytes
+ *          from the reception buffer
+ *  - execute return data routine
+ *
+ *  Sets errno corresponding to what it gets from the underlying
+ *  socket or EIO if some internal sanity check fails.
+ *
+ *  @param[in]  cl client ptr with raw socket reference
+ *  @param[out] dst  destination buffer
+ *  @param[in]  len  size of destination buffer
+ *  @param[out] sockRet emulated recv return value
+ *  @return next hybi decode state
+ */
+static int
+hybiReadAndDecode(rfbClientPtr cl, char *dst, int len, int *sockRet)
+{
+  int n;
+  int i;
+  int toReturn;
+  int toDecode;
+  int bufsize;
+  int nextRead;
+  unsigned char *data;
+  uint32_t *data32;
+  ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+
+  /* if data was carried over, copy to start of buffer */
+  memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen);
+  wsctx->writePos += wsctx->carrylen;
+
+  /* -1 accounts for potential '\0' terminator for base64 decoding */
+  bufsize = wsctx->codeBufDecode + ARRAYSIZE(wsctx->codeBufDecode) - wsctx->writePos - 1;
+  if (hybiRemaining(wsctx) > bufsize) {
+    nextRead = bufsize;
+  } else {
+    nextRead = hybiRemaining(wsctx);
+  }
+
+  rfbLog("calling read with buf=%p and len=%d (decodebuf=%p headerLen=%d\n)", wsctx->writePos, nextRead, wsctx->codeBufDecode, wsctx->header.headerLen);
+
+  if (wsctx->nReadRaw < wsctx->nToRead) {
+    /* decode more data */
+    if (-1 == (n = ws_read(cl, wsctx->writePos, nextRead))) {
       int olderrno = errno;
       rfbErr("%s: read; %m", __func__);
       errno = olderrno;
-      return ret;
-    } else if (ret < total) {
-      /* GT TODO: hmm? */
-      rfbLog("%s: read; got partial data\n", __func__);
-    } else {
-      buf[ret] = '\0';
-    }
+      *sockRet = -1;
+      return WS_HYBI_STATE_ERR;
+    } else if (n == 0) {
+      *sockRet = 0;
+      return WS_HYBI_STATE_ERR;
+    }
+    wsctx->nReadRaw += n;
+    rfbLog("read %d bytes from socket; nRead=%d\n", n, wsctx->nReadRaw);
+  } else {
+    n = 0;
+  }
+
+  wsctx->writePos += n;
+
+  if (wsctx->nReadRaw >= wsctx->nToRead) {
+    if (wsctx->nReadRaw > wsctx->nToRead) {
+      rfbErr("%s: internal error, read past websocket frame", __func__);
+      errno=EIO;
+      *sockRet = -1;
+      return WS_HYBI_STATE_ERR;
+    }
+  }
+
+  toDecode = wsctx->writePos - hybiPayloadStart(wsctx);
+  rfbLog("toDecode=%d from n=%d carrylen=%d headerLen=%d\n", toDecode, n, wsctx->carrylen, wsctx->header.headerLen);
+  if (toDecode < 0) {
+    rfbErr("%s: internal error; negative number of bytes to decode: %d", __func__, toDecode);
+    errno=EIO;
+    *sockRet = -1;
+    return WS_HYBI_STATE_ERR;
+  }
+
+  /* for a possible base64 decoding, we decode multiples of 4 bytes until
+   * the whole frame is received and carry over any remaining bytes in the carry buf*/
+  data = (unsigned char *)hybiPayloadStart(wsctx);
+  data32= (uint32_t *)data;
+
+  for (i = 0; i < (toDecode >> 2); i++) {
+    data32[i] ^= wsctx->header.mask.u;
+  }
+  rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
 
-    /* process 1 frame (32 bit op) */
-    payload32 = (uint32_t *)payload;
-    for (i = 0; i < flength / 4; i++) {
-	payload32[i] ^= mask.u;
-    }
+  if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
     /* process the remaining bytes (if any) */
-    for (i*=4; i < flength; i++) {
-	payload[i] ^= mask.c[i % 4];
+    for (i*=4; i < toDecode; i++) {
+      data[i] ^= wsctx->header.mask.c[i % 4];
     }
 
-    switch (opcode) {
-      case WS_OPCODE_CLOSE:
-	rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)payload)[0]));
-	errno = ECONNRESET;
-	break;
-      case WS_OPCODE_TEXT_FRAME:
-	if (-1 == (flength = __b64_pton(payload, (unsigned char *)wsctx->codeBufDecode, sizeof(wsctx->codeBufDecode)))) {
-	  rfbErr("%s: Base64 decode error; %m\n", __func__);
-	  break;
-	}
-	payload = wsctx->codeBufDecode;
-	/* fall through */
-      case WS_OPCODE_BINARY_FRAME:
-	if (flength > len) {
-	  memcpy(wsctx->readbuf, payload + len, flength - len);
-	  wsctx->readbufstart = 0;
-	  wsctx->readbuflen = flength - len;
-	  flength = len;
-	}
-	memcpy(dst, payload, flength);
-	result = flength;
-	break;
+    /* all data is here, no carrying */
+    wsctx->carrylen = 0;
+  } else {
+    /* carry over remaining, non-multiple-of-four bytes */
+    wsctx->carrylen = toDecode - (i * 4);
+    if (wsctx->carrylen < 0 || wsctx->carrylen > ARRAYSIZE(wsctx->carryBuf)) {
+      rfbErr("%s: internal error, invalid carry over size: carrylen=%d, toDecode=%d, i=%d", __func__, wsctx->carrylen, toDecode, i);
+      *sockRet = -1;
+      errno = EIO;
+      return WS_HYBI_STATE_ERR;
+    }
+    rfbLog("carrying over %d bytes from %p to %p\n", wsctx->carrylen, wsctx->writePos + (i * 4), wsctx->carryBuf);
+    memcpy(wsctx->carryBuf, data + (i * 4), wsctx->carrylen);
+  }
+
+  toReturn = toDecode - wsctx->carrylen;
+
+  switch (wsctx->header.opcode) {
+    case WS_OPCODE_CLOSE:
+
+      /* this data is not returned as payload data */
+      if (hybiWsFrameComplete(wsctx)) {
+        rfbLog("got closure, reason %d\n", WS_NTOH16(((uint16_t *)data)[0]));
+        errno = ECONNRESET;
+        *sockRet = -1;
+        return WS_HYBI_STATE_FRAME_COMPLETE;
+      } else {
+        rfbErr("%s: close reason with long frame not supported", __func__);
+        errno = EIO;
+        *sockRet = -1;
+        return WS_HYBI_STATE_ERR;
+      }
+      break;
+    case WS_OPCODE_TEXT_FRAME:
+      data[toReturn] = '\0';
+      rfbLog("Initiate Base64 decoding in %p with max size %d and '\\0' at %p\n", data, bufsize, data + toReturn);
+      if (-1 == (wsctx->readlen = __b64_pton((char *)data, data, bufsize))) {
+        rfbErr("Base64 decode error in %s; data=%p bufsize=%d", __func__, data, bufsize);
+        rfbErr("%s: Base64 decode error; %m\n", __func__);
+      }
+      wsctx->writePos = hybiPayloadStart(wsctx);
+      break;
+    case WS_OPCODE_BINARY_FRAME:
+      wsctx->readlen = toReturn;
+      wsctx->writePos = hybiPayloadStart(wsctx);
+      break;
+    default:
+      rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)wsctx->header.opcode, wsctx->header.data->b0, wsctx->header.data->b1);
+  }
+  wsctx->readPos = data;
+
+  return hybiReturnData(dst, len, wsctx, sockRet);
+}
+
+/**
+ * Read function for websocket-socket emulation.
+ *
+ *    0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-------+-+-------------+-------------------------------+
+ *   |F|R|R|R| opcode|M| Payload len |    Extended payload length    |
+ *   |I|S|S|S|  (4)  |A|     (7)     |             (16/64)           |
+ *   |N|V|V|V|       |S|             |   (if payload len==126/127)   |
+ *   | |1|2|3|       |K|             |                               |
+ *   +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
+ *   |     Extended payload length continued, if payload len == 127  |
+ *   + - - - - - - - - - - - - - - - +-------------------------------+
+ *   |                               |Masking-key, if MASK set to 1  |
+ *   +-------------------------------+-------------------------------+
+ *   | Masking-key (continued)       |          Payload Data         |
+ *   +-------------------------------- - - - - - - - - - - - - - - - +
+ *   :                     Payload Data continued ...                :
+ *   + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+ *   |                     Payload Data continued ...                |
+ *   +---------------------------------------------------------------+
+ *
+ * Using the decode buffer, this function:
+ *  - reads the complete header from the underlying socket
+ *  - reads any remaining data bytes
+ *  - unmasks the payload data using the provided mask
+ *  - decodes Base64 encoded text data
+ *  - copies len bytes of decoded payload data into dst
+ *
+ * Emulates a read call on a socket.
+ */
+static int
+webSocketsDecodeHybi(rfbClientPtr cl, char *dst, int len)
+{
+    int result = -1;
+    ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
+    /* int fin; */ /* not used atm */
+
+    /* rfbLog(" <== %s[%d]: %d cl: %p, wsctx: %p-%p (%d)\n", __func__, gettid(), len, cl, wsctx, (char *)wsctx + sizeof(ws_ctx_t), sizeof(ws_ctx_t)); */
+    rfbLog("%s_enter: len=%d; "
+                      "CTX: readlen=%d readPos=%p "
+                      "writeTo=%p "
+                      "state=%d toRead=%d remaining=%d "
+                      " nReadRaw=%d carrylen=%d carryBuf=%p\n",
+                      __func__, len,
+                      wsctx->readlen, wsctx->readPos,
+                      wsctx->writePos,
+                      wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
+                      wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf);
+
+    switch (wsctx->hybiDecodeState){
+      case WS_HYBI_STATE_HEADER_PENDING:
+        wsctx->hybiDecodeState = hybiReadHeader(cl, &result);
+        if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
+          goto spor;
+        }
+        if (wsctx->hybiDecodeState != WS_HYBI_STATE_HEADER_PENDING) {
+
+          /* when header is complete, try to read some more data */
+          wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+        }
+        break;
+      case WS_HYBI_STATE_DATA_AVAILABLE:
+        wsctx->hybiDecodeState = hybiReturnData(dst, len, wsctx, &result);
+        break;
+      case WS_HYBI_STATE_DATA_NEEDED:
+        wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+        break;
+      case WS_HYBI_STATE_CLOSE_REASON_PENDING:
+        wsctx->hybiDecodeState = hybiReadAndDecode(cl, dst, len, &result);
+        break;
       default:
-	rfbErr("%s: unhandled opcode %d, b0: %02x, b1: %02x\n", __func__, (int)opcode, header->b0, header->b1);
+        /* invalid state */
+        rfbErr("%s: called with invalid state %d\n", wsctx->hybiDecodeState);
+        result = -1;
+        errno = EIO;
+        wsctx->hybiDecodeState = WS_HYBI_STATE_ERR;
     }
 
     /* single point of return, if someone has questions :-) */
 spor:
     /* rfbLog("%s: ret: %d/%d\n", __func__, result, len); */
+    if (wsctx->hybiDecodeState == WS_HYBI_STATE_FRAME_COMPLETE) {
+      rfbLog("frame received successfully, cleaning up: read=%d hlen=%d plen=%d\n", wsctx->header.nRead, wsctx->header.headerLen, wsctx->header.payloadLen);
+      /* frame finished, cleanup state */
+      hybiDecodeCleanup(wsctx);
+    } else if (wsctx->hybiDecodeState == WS_HYBI_STATE_ERR) {
+      hybiDecodeCleanup(wsctx);
+    }
+    rfbLog("%s_exit: len=%d; "
+                      "CTX: readlen=%d readPos=%p "
+                      "writePos=%p "
+                      "state=%d toRead=%d remaining=%d "
+                      "nRead=%d carrylen=%d carryBuf=%p "
+                      "result=%d\n",
+                      __func__, len,
+                      wsctx->readlen, wsctx->readPos,
+                      wsctx->writePos,
+                      wsctx->hybiDecodeState, wsctx->nToRead, hybiRemaining(wsctx),
+                      wsctx->nReadRaw, wsctx->carrylen, wsctx->carryBuf,
+                      result);
     return result;
 }
 
@@ -924,7 +1255,7 @@ webSocketsHasDataInBuffer(rfbClientPtr c
 {
     ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
 
-    if (wsctx && wsctx->readbuflen)
+    if (wsctx && wsctx->readlen)
       return TRUE;
 
     return (cl->sslctx && rfbssl_pending(cl) > 0);