summaryrefslogtreecommitdiffhomepage
path: root/src/java/nginx/unit/websocket/WsFrameBase.java
diff options
context:
space:
mode:
authorMark Thomas <markt@apache.org>2020-06-29 14:02:59 +0100
committerAndrew Clayton <a.clayton@nginx.com>2025-02-25 17:08:06 +0000
commite857293f5aae004403490cf0f62187959951769c (patch)
tree48dfd295bdbc954e6f24bd3679fe80dc9686d009 /src/java/nginx/unit/websocket/WsFrameBase.java
parentc1372d1e43bd0457c8a00b055f667022c54d7219 (diff)
downloadunit-e857293f5aae004403490cf0f62187959951769c.tar.gz
unit-e857293f5aae004403490cf0f62187959951769c.tar.bz2
java: websocket: Additional payload length validation
<https://bz.apache.org/bugzilla/show_bug.cgi?id=64563> Patch taken from <https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3.patch> [ Subject / message tweak - Andrew ] Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
Diffstat (limited to '')
-rw-r--r--src/java/nginx/unit/websocket/WsFrameBase.java7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/java/nginx/unit/websocket/WsFrameBase.java b/src/java/nginx/unit/websocket/WsFrameBase.java
index 2057ff3f..f07a8962 100644
--- a/src/java/nginx/unit/websocket/WsFrameBase.java
+++ b/src/java/nginx/unit/websocket/WsFrameBase.java
@@ -260,6 +260,13 @@ public abstract class WsFrameBase {
} else if (payloadLength == 127) {
payloadLength = byteArrayToLong(inputBuffer.array(),
inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+ // The most significant bit of those 8 bytes is required to be zero
+ // (see RFC 6455, section 5.2). If the most significant bit is set,
+ // the resulting payload length will be negative so test for that.
+ if (payloadLength < 0) {
+ throw new WsIOException(
+ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+ }
inputBuffer.position(inputBuffer.position() + 8);
}
if (Util.isControl(opCode)) {
generated by cgit (git 2.34.1) at 2025-12-06 11:52:08 +0000