62 lines
3.2 KiB
Diff
62 lines
3.2 KiB
Diff
|
From 40fa74c74822711ab878079d0a69f7357926723d Mon Sep 17 00:00:00 2001
|
||
|
|
From: Mark Thomas <markt@apache.org>
|
||
|
|
Date: Mon, 29 Jun 2020 14:02:59 +0100
|
||
|
|
Subject: [PATCH] Fix BZ 64563 - additional payload length validation
|
||
|
|
|
||
|
|
https://bz.apache.org/bugzilla/show_bug.cgi?id=64563
|
||
|
|
---
|
||
|
|
java/org/apache/tomcat/websocket/LocalStrings.properties | 1 +
|
||
|
|
java/org/apache/tomcat/websocket/WsFrameBase.java | 7 +++++++
|
||
|
|
webapps/docs/changelog.xml | 8 ++++++++
|
||
|
|
3 files changed, 16 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties b/java/org/apache/tomcat/websocket/LocalStrings.properties
|
||
|
|
index 9412ffeb61..929822d94c 100644
|
||
|
|
--- a/java/org/apache/tomcat/websocket/LocalStrings.properties
|
||
|
|
+++ b/java/org/apache/tomcat/websocket/LocalStrings.properties
|
||
|
|
@@ -70,6 +70,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
|
||
|
|
wsFrame.notMasked=The client frame was not masked but all client frames must be masked
|
||
|
|
wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
|
||
|
|
wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
|
||
|
|
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
|
||
|
|
wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
|
||
|
|
wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
|
||
|
|
wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
|
||
|
|
diff --git a/java/org/apache/tomcat/websocket/WsFrameBase.java b/java/org/apache/tomcat/websocket/WsFrameBase.java
|
||
|
|
index 28cdc30036..4afad67534 100644
|
||
|
|
--- a/java/org/apache/tomcat/websocket/WsFrameBase.java
|
||
|
|
+++ b/java/org/apache/tomcat/websocket/WsFrameBase.java
|
||
|
|
@@ -261,6 +261,13 @@ private boolean processRemainingHeader() throws IOException {
|
||
|
|
} else if (payloadLength == 127) {
|
||
|
|
payloadLength = byteArrayToLong(inputBuffer.array(),
|
||
|
|
inputBuffer.arrayOffset() + inputBuffer.position(), 8);
|
||
|
|
+ // The most significant bit of those 8 bytes is required to be zero
|
||
|
|
+ // (see RFC 6455, section 5.2). If the most significant bit is set,
|
||
|
|
+ // the resulting payload length will be negative so test for that.
|
||
|
|
+ if (payloadLength < 0) {
|
||
|
|
+ throw new WsIOException(
|
||
|
|
+ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
|
||
|
|
+ }
|
||
|
|
inputBuffer.position(inputBuffer.position() + 8);
|
||
|
|
}
|
||
|
|
if (Util.isControl(opCode)) {
|
||
|
|
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
|
||
|
|
index e75f367171..1d1a735c7e 100644
|
||
|
|
--- a/webapps/docs/changelog.xml
|
||
|
|
+++ b/webapps/docs/changelog.xml
|
||
|
|
@@ -127,6 +127,14 @@
|
||
|
|
</fix>
|
||
|
|
</changelog>
|
||
|
|
</subsection>
|
||
|
|
+ <subsection name="WebSocket">
|
||
|
|
+ <changelog>
|
||
|
|
+ <fix>
|
||
|
|
+ <bug>64563</bug>: Add additional validation of payload length for
|
||
|
|
+ WebSocket messages. (markt)
|
||
|
|
+ </fix>
|
||
|
|
+ </changelog>
|
||
|
|
+ </subsection>
|
||
|
|
<subsection name="Other">
|
||
|
|
<changelog>
|
||
|
|
<fix>
|