You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/30 13:21:18 UTC
[tomcat] branch 7.0.x updated (34d19fb -> 4c04982)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 34d19fb Correct calculation of payload length when using 4 or more bytes
new b517002 Correct calculation of payload length when using 4 or more bytes
new 4c04982 Fix BZ 64563 - additional payload length validation
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/catalina/util/Conversions.java | 2 +-
java/org/apache/catalina/websocket/LocalStrings.properties | 1 +
java/org/apache/catalina/websocket/WsFrame.java | 6 ++++++
test/org/apache/catalina/util/TestConversions.java | 12 ++++++++----
4 files changed, 16 insertions(+), 5 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/02: Correct calculation of payload length when using 4
or more bytes
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b51700209311c352e1c35d7845237da7a435b06b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 30 14:18:55 2020 +0100
Correct calculation of payload length when using 4 or more bytes
---
java/org/apache/catalina/util/Conversions.java | 2 +-
test/org/apache/catalina/util/TestConversions.java | 12 ++++++++----
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/util/Conversions.java b/java/org/apache/catalina/util/Conversions.java
index 322fdbb..b98c2d0 100644
--- a/java/org/apache/catalina/util/Conversions.java
+++ b/java/org/apache/catalina/util/Conversions.java
@@ -33,7 +33,7 @@ public class Conversions {
int shift = 0;
long result = 0;
for (int i = input.length - 1; i >= 0; i--) {
- result = result + ((input[i] & 0xFF) << shift);
+ result = result + ((input[i] & 0xFFL) << shift);
shift += 8;
}
diff --git a/test/org/apache/catalina/util/TestConversions.java b/test/org/apache/catalina/util/TestConversions.java
index fae4f8b..a9a228b 100644
--- a/test/org/apache/catalina/util/TestConversions.java
+++ b/test/org/apache/catalina/util/TestConversions.java
@@ -28,10 +28,14 @@ public class TestConversions {
Assert.assertEquals(0L, Conversions.byteArrayToLong(new byte[] { 0 }));
Assert.assertEquals(1L, Conversions.byteArrayToLong(new byte[] { 1 }));
Assert.assertEquals(0xFF, Conversions.byteArrayToLong(new byte[] { -1 }));
- Assert.assertEquals(0xFFFF,
- Conversions.byteArrayToLong(new byte[] { -1, -1 }));
- Assert.assertEquals(0xFFFFFF,
- Conversions.byteArrayToLong(new byte[] { -1, -1, -1 }));
+ Assert.assertEquals(0xFFFF, Conversions.byteArrayToLong(new byte[] { -1, -1 }));
+ Assert.assertEquals(0xFFFFFF, Conversions.byteArrayToLong(new byte[] { -1, -1, -1 }));
+ Assert.assertEquals(0xFFFFFFFFL, Conversions.byteArrayToLong(new byte[] { -1, -1, -1, -1 }));
+ Assert.assertEquals(0xFFFFFFFFFFL, Conversions.byteArrayToLong(new byte[] { -1, -1, -1, -1, -1 }));
+ Assert.assertEquals(0xFFFFFFFFFFFFL, Conversions.byteArrayToLong(new byte[] { -1, -1, -1, -1, -1, -1 }));
+ Assert.assertEquals(0xFFFFFFFFFFFFFFL, Conversions.byteArrayToLong(new byte[] { -1, -1, -1, -1, -1, -1, -1 }));
+ Assert.assertEquals(0x7FFFFFFFFFFFFFFFL, Conversions.byteArrayToLong(new byte[] {127, -1, -1, -1, -1, -1, -1, -1 }));
+ Assert.assertEquals(-1, Conversions.byteArrayToLong(new byte[] { -1, -1, -1, -1, -1, -1, -1, -1 }));
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: Fix BZ 64563 - additional payload length validation
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4c04982870d6e730c38e21e58fb653b7cf723784
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 30 14:20:58 2020 +0100
Fix BZ 64563 - additional payload length validation
---
java/org/apache/catalina/websocket/LocalStrings.properties | 1 +
java/org/apache/catalina/websocket/WsFrame.java | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/java/org/apache/catalina/websocket/LocalStrings.properties b/java/org/apache/catalina/websocket/LocalStrings.properties
index 089dfee..edde581 100644
--- a/java/org/apache/catalina/websocket/LocalStrings.properties
+++ b/java/org/apache/catalina/websocket/LocalStrings.properties
@@ -14,6 +14,7 @@
# limitations under the License.
frame.eos=The end of the stream was reached before the expected number of payload bytes could be read
+frame.invalidLength=An invalid payload length was specified
frame.invalidUtf8=A sequence of bytes was received that did not represent valid UTF-8
frame.notMasked=The client frame was not masked but all client frames must be masked
frame.readEos=The end of the stream was reached when trying to read the first byte of a new WebSocket frame
diff --git a/java/org/apache/catalina/websocket/WsFrame.java b/java/org/apache/catalina/websocket/WsFrame.java
index 9f39777..d2189c2 100644
--- a/java/org/apache/catalina/websocket/WsFrame.java
+++ b/java/org/apache/catalina/websocket/WsFrame.java
@@ -84,6 +84,12 @@ public class WsFrame {
blockingRead(processor, extended);
payloadLength = Conversions.byteArrayToLong(extended);
}
+ // The most significant bit of those 8 bytes is required to be zero
+ // (see RFC 6455, section 5.2). If the most significant bit is set,
+ // the resulting payload length will be negative so test for that.
+ if (payloadLength < 0) {
+ throw new IOException(sm.getString("frame.invalidLength"));
+ }
if (isControl()) {
if (payloadLength > 125) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org