diff options
| author | Mark Thomas <markt@apache.org> | 2020-06-29 14:02:59 +0100 |
|---|---|---|
| committer | Andrew Clayton <a.clayton@nginx.com> | 2025-02-21 22:49:15 +0000 |
| commit | d7afeb2b94f1cd72ed02403609e5484f9514e5eb (patch) | |
| tree | 092904a77253c20a0134a83354ba1c1fa5546922 /src/java/nginx/unit | |
| parent | 5e7bc383f60e7567def0dc25c9ced44bbf60d550 (diff) | |
| download | unit-d7afeb2b94f1cd72ed02403609e5484f9514e5eb.tar.gz unit-d7afeb2b94f1cd72ed02403609e5484f9514e5eb.tar.bz2 | |
java: websocket: Additional payload length validation
<https://bz.apache.org/bugzilla/show_bug.cgi?id=64563>
Patch taken from <https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3.patch>
[ Subject / message tweak - Andrew ]
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
Diffstat (limited to 'src/java/nginx/unit')
| -rw-r--r-- | src/java/nginx/unit/websocket/WsFrameBase.java | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/java/nginx/unit/websocket/WsFrameBase.java b/src/java/nginx/unit/websocket/WsFrameBase.java index 2057ff3f..f07a8962 100644 --- a/src/java/nginx/unit/websocket/WsFrameBase.java +++ b/src/java/nginx/unit/websocket/WsFrameBase.java @@ -260,6 +260,13 @@ public abstract class WsFrameBase { } else if (payloadLength == 127) { payloadLength = byteArrayToLong(inputBuffer.array(), inputBuffer.arrayOffset() + inputBuffer.position(), 8); + // The most significant bit of those 8 bytes is required to be zero + // (see RFC 6455, section 5.2). If the most significant bit is set, + // the resulting payload length will be negative so test for that. + if (payloadLength < 0) { + throw new WsIOException( + new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid"))); + } inputBuffer.position(inputBuffer.position() + 8); } if (Util.isControl(opCode)) { |