summaryrefslogtreecommitdiffhomepage
path: root/src/java/nginx/unit/websocket/WsFrameBase.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/java/nginx/unit/websocket/WsFrameBase.java')
-rw-r--r--src/java/nginx/unit/websocket/WsFrameBase.java9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/java/nginx/unit/websocket/WsFrameBase.java b/src/java/nginx/unit/websocket/WsFrameBase.java
index 06d20bf4..f07a8962 100644
--- a/src/java/nginx/unit/websocket/WsFrameBase.java
+++ b/src/java/nginx/unit/websocket/WsFrameBase.java
@@ -260,6 +260,13 @@ public abstract class WsFrameBase {
} else if (payloadLength == 127) {
payloadLength = byteArrayToLong(inputBuffer.array(),
inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+ // The most significant bit of those 8 bytes is required to be zero
+ // (see RFC 6455, section 5.2). If the most significant bit is set,
+ // the resulting payload length will be negative so test for that.
+ if (payloadLength < 0) {
+ throw new WsIOException(
+ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+ }
inputBuffer.position(inputBuffer.position() + 8);
}
if (Util.isControl(opCode)) {
@@ -670,7 +677,7 @@ public abstract class WsFrameBase {
int shift = 0;
long result = 0;
for (int i = start + len - 1; i >= start; i--) {
- result = result + ((b[i] & 0xFF) << shift);
+ result = result + ((b[i] & 0xFFL) << shift);
shift += 8;
}
return result;
generated by cgit (git 2.34.1) at 2025-12-06 08:01:50 +0000