java: websocket: Additional payload length validation

<https://bz.apache.org/bugzilla/show_bug.cgi?id=64563> Patch taken from <https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3.patch> [ Subject / message tweak - Andrew ] Signed-off-by: Andrew Clayton <[email protected]>
nginx · Feb 21, 2025 · d7afeb2 · d7afeb2
1 parent 5e7bc38
commit d7afeb2
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/java/nginx/unit/websocket/WsFrameBase.java b/src/java/nginx/unit/websocket/WsFrameBase.java
@@ -260,6 +260,13 @@ private boolean processRemainingHeader() throws IOException {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {