Fix BZ 64563 - additional payload length validation · apache/tomcat@40fa74c · GitHub
Skip to content

Commit

Permalink
Fix BZ 64563 - additional payload length validation
Browse files Browse the repository at this point in the history
  • Loading branch information
markt-asf committed Jun 30, 2020
1 parent e2ce6a9 commit 40fa74c
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 0 deletions.
1 change: 1 addition & 0 deletions java/org/apache/tomcat/websocket/LocalStrings.properties
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
wsFrame.notMasked=The client frame was not masked but all client frames must be masked
wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
Expand Down
7 changes: 7 additions & 0 deletions java/org/apache/tomcat/websocket/WsFrameBase.java
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,13 @@ private boolean processRemainingHeader() throws IOException {
} else if (payloadLength == 127) {
payloadLength = byteArrayToLong(inputBuffer.array(),
inputBuffer.arrayOffset() + inputBuffer.position(), 8);
// The most significant bit of those 8 bytes is required to be zero
// (see RFC 6455, section 5.2). If the most significant bit is set,
// the resulting payload length will be negative so test for that.
if (payloadLength < 0) {
throw new WsIOException(
new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
}
inputBuffer.position(inputBuffer.position() + 8);
}
if (Util.isControl(opCode)) {
Expand Down
8 changes: 8 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,14 @@
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>64563</bug>: Add additional validation of payload length for
WebSocket messages. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Expand Down

0 comments on commit 40fa74c

Please sign in to comment.