You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/30 13:21:20 UTC

[tomcat] 02/02: Fix BZ 64563 - additional payload length validation

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 4c04982870d6e730c38e21e58fb653b7cf723784
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 30 14:20:58 2020 +0100

    Fix BZ 64563 - additional payload length validation
---
 java/org/apache/catalina/websocket/LocalStrings.properties | 1 +
 java/org/apache/catalina/websocket/WsFrame.java            | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/java/org/apache/catalina/websocket/LocalStrings.properties b/java/org/apache/catalina/websocket/LocalStrings.properties
index 089dfee..edde581 100644
--- a/java/org/apache/catalina/websocket/LocalStrings.properties
+++ b/java/org/apache/catalina/websocket/LocalStrings.properties
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 frame.eos=The end of the stream was reached before the expected number of payload bytes could be read
+frame.invalidLength=An invalid payload length was specified
 frame.invalidUtf8=A sequence of bytes was received that did not represent valid UTF-8
 frame.notMasked=The client frame was not masked but all client frames must be masked
 frame.readEos=The end of the stream was reached when trying to read the first byte of a new WebSocket frame
diff --git a/java/org/apache/catalina/websocket/WsFrame.java b/java/org/apache/catalina/websocket/WsFrame.java
index 9f39777..d2189c2 100644
--- a/java/org/apache/catalina/websocket/WsFrame.java
+++ b/java/org/apache/catalina/websocket/WsFrame.java
@@ -84,6 +84,12 @@ public class WsFrame {
             blockingRead(processor, extended);
             payloadLength = Conversions.byteArrayToLong(extended);
         }
+        // The most significant bit of those 8 bytes is required to be zero
+        // (see RFC 6455, section 5.2). If the most significant bit is set,
+        // the resulting payload length will be negative so test for that.
+        if (payloadLength < 0) {
+            throw new IOException(sm.getString("frame.invalidLength"));
+        }
 
         if (isControl()) {
             if (payloadLength > 125) {


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org