From d7afeb2b94f1cd72ed02403609e5484f9514e5eb Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 29 Jun 2020 14:02:59 +0100
Subject: java: websocket: Additional payload length validation

<https://bz.apache.org/bugzilla/show_bug.cgi?id=64563>

Patch taken from <https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3.patch>

[ Subject / message tweak - Andrew ]
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/java/nginx/unit/websocket/WsFrameBase.java | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src')

diff --git a/src/java/nginx/unit/websocket/WsFrameBase.java b/src/java/nginx/unit/websocket/WsFrameBase.java
index 2057ff3f..f07a8962 100644
--- a/src/java/nginx/unit/websocket/WsFrameBase.java
+++ b/src/java/nginx/unit/websocket/WsFrameBase.java
@@ -260,6 +260,13 @@ public abstract class WsFrameBase {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {
-- 
cgit