You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/30 13:21:20 UTC
[tomcat] 02/02: Fix BZ 64563 - additional payload length validation
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4c04982870d6e730c38e21e58fb653b7cf723784
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 30 14:20:58 2020 +0100
Fix BZ 64563 - additional payload length validation
---
java/org/apache/catalina/websocket/LocalStrings.properties | 1 +
java/org/apache/catalina/websocket/WsFrame.java | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/java/org/apache/catalina/websocket/LocalStrings.properties b/java/org/apache/catalina/websocket/LocalStrings.properties
index 089dfee..edde581 100644
--- a/java/org/apache/catalina/websocket/LocalStrings.properties
+++ b/java/org/apache/catalina/websocket/LocalStrings.properties
@@ -14,6 +14,7 @@
# limitations under the License.
frame.eos=The end of the stream was reached before the expected number of payload bytes could be read
+frame.invalidLength=An invalid payload length was specified
frame.invalidUtf8=A sequence of bytes was received that did not represent valid UTF-8
frame.notMasked=The client frame was not masked but all client frames must be masked
frame.readEos=The end of the stream was reached when trying to read the first byte of a new WebSocket frame
diff --git a/java/org/apache/catalina/websocket/WsFrame.java b/java/org/apache/catalina/websocket/WsFrame.java
index 9f39777..d2189c2 100644
--- a/java/org/apache/catalina/websocket/WsFrame.java
+++ b/java/org/apache/catalina/websocket/WsFrame.java
@@ -84,6 +84,12 @@ public class WsFrame {
blockingRead(processor, extended);
payloadLength = Conversions.byteArrayToLong(extended);
}
+ // The most significant bit of those 8 bytes is required to be zero
+ // (see RFC 6455, section 5.2). If the most significant bit is set,
+ // the resulting payload length will be negative so test for that.
+ if (payloadLength < 0) {
+ throw new IOException(sm.getString("frame.invalidLength"));
+ }
if (isControl()) {
if (payloadLength > 125) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org