This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f9f75c14678b68633f79030ddf4ff827f014cc84 Author: Mark Thomas <ma...@apache.org> AuthorDate: Mon Jun 29 14:02:59 2020 +0100 Fix BZ 64563 - additional payload length validation https://bz.apache.org/bugzilla/show_bug.cgi?id=64563 --- java/org/apache/tomcat/websocket/LocalStrings.properties | 1 + java/org/apache/tomcat/websocket/WsFrameBase.java | 7 +++++++ webapps/docs/changelog.xml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties b/java/org/apache/tomcat/websocket/LocalStrings.properties index 00a409c..0659225 100644 --- a/java/org/apache/tomcat/websocket/LocalStrings.properties +++ b/java/org/apache/tomcat/websocket/LocalStrings.properties @@ -64,6 +64,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e wsFrame.notMasked=The client frame was not masked but all client frames must be masked wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}] +wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages wsFrame.wrongRsv=The client frame set the reserved bits to [{0}] for a message with opCode [{1}] which was not supported by this endpoint diff --git a/java/org/apache/tomcat/websocket/WsFrameBase.java b/java/org/apache/tomcat/websocket/WsFrameBase.java index b3d7261..e7b13fd 100644 --- a/java/org/apache/tomcat/websocket/WsFrameBase.java +++ b/java/org/apache/tomcat/websocket/WsFrameBase.java @@ -256,6 +256,13 @@ public abstract class WsFrameBase { readPos += 2; } else if (payloadLength == 127) { payloadLength = byteArrayToLong(inputBuffer, readPos, 8); + // The most significant bit of those 8 bytes is required to be zero + // (see RFC 6455, section 5.2). If the most significant bit is set, + // the resulting payload length will be negative so test for that. + if (payloadLength < 0) { + throw new WsIOException( + new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid"))); + } readPos += 8; } if (Util.isControl(opCode)) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 23df812..93823de 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,10 @@ Include the target URL in the log message when a WebSocket connection fails. (markt) </add> + <fix> + <bug>64563</bug>: Add additional validation of payload length for + WebSocket messages. (markt) + </fix> </changelog> </subsection> <subsection name="Other"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org