Update CHANGELOG.md with WebSocket message parsing bounds checking fix

- Documented critical security fix for heap corruption prevention - Added details about comprehensive bounds validation in wsssht.c - Explained protection against malformed JSON message attacks - Described enhanced error handling and debug logging improvements

Update CHANGELOG.md with WebSocket message parsing bounds checking fix
- Documented critical security fix for heap corruption prevention - Added details about comprehensive bounds validation in wsssht.c - Explained protection against malformed JSON message attacks - Described enhanced error handling and debug logging improvements
d26c949e · Stefy Lanza (nextime / spora ) · c68b4134 · d26c949e
Commit d26c949e authored Sep 20, 2025 by Stefy Lanza (nextime / spora )
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

CHANGELOG.md CHANGELOG.md +8 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -53,6 +53,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - Hex-encoded 4KB data creates 8KB frames, which are much more network-friendly
  - Maintains transfer performance while improving stability for large files
+- **WebSocket Message Parsing Bounds Checking**: Critical security fix for heap corruption
+  - Added comprehensive bounds validation to all WebSocket message parsing in wsssht.c
+  - Prevents buffer overflows from malformed JSON messages that could corrupt heap metadata
+  - Validates all string operations stay within payload buffer limits
+  - Added length validation for data fields to prevent excessive memory allocation
+  - Protects against crashes from corrupted or malicious WebSocket frames
+  - Enhanced error handling with debug logging for malformed messages
 ## [1.6.5] - 2025-09-19
 ### Added