Fix BZ 64563 - additional payload length validation

apache · Jun 30, 2020 · 4c04982 · 4c04982
1 parent b517002
commit 4c04982
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/java/org/apache/catalina/websocket/LocalStrings.properties b/java/org/apache/catalina/websocket/LocalStrings.properties
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 frame.eos=The end of the stream was reached before the expected number of payload bytes could be read
+frame.invalidLength=An invalid payload length was specified
 frame.invalidUtf8=A sequence of bytes was received that did not represent valid UTF-8
 frame.notMasked=The client frame was not masked but all client frames must be masked
 frame.readEos=The end of the stream was reached when trying to read the first byte of a new WebSocket frame

diff --git a/java/org/apache/catalina/websocket/WsFrame.java b/java/org/apache/catalina/websocket/WsFrame.java
@@ -84,6 +84,12 @@ private WsFrame(byte first,
             blockingRead(processor, extended);
             payloadLength = Conversions.byteArrayToLong(extended);
         }
+        // The most significant bit of those 8 bytes is required to be zero
+        // (see RFC 6455, section 5.2). If the most significant bit is set,
+        // the resulting payload length will be negative so test for that.
+        if (payloadLength < 0) {
+            throw new IOException(sm.getString("frame.invalidLength"));
+        }
 
         if (isControl()) {
             if (payloadLength > 125) {