Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
tomcat.32131
tomcat-9.0-CVE-2020-13935.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-9.0-CVE-2020-13935.patch of Package tomcat.32131
From 40fa74c74822711ab878079d0a69f7357926723d Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Mon, 29 Jun 2020 14:02:59 +0100 Subject: [PATCH] Fix BZ 64563 - additional payload length validation https://bz.apache.org/bugzilla/show_bug.cgi?id=64563 --- java/org/apache/tomcat/websocket/LocalStrings.properties | 1 + java/org/apache/tomcat/websocket/WsFrameBase.java | 7 +++++++ webapps/docs/changelog.xml | 8 ++++++++ 3 files changed, 16 insertions(+) Index: apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/LocalStrings.properties =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/tomcat/websocket/LocalStrings.properties +++ apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/LocalStrings.properties @@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was wsFrame.notMasked=The client frame was not masked but all client frames must be masked wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}] +wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed wsFrame.suspendRequested=Suspend of the message receiving has already been requested. wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages Index: apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/WsFrameBase.java =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/tomcat/websocket/WsFrameBase.java +++ apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/WsFrameBase.java @@ -262,6 +262,13 @@ public abstract class WsFrameBase { } else if (payloadLength == 127) { payloadLength = byteArrayToLong(inputBuffer.array(), inputBuffer.arrayOffset() + inputBuffer.position(), 8); + // The most significant bit of those 8 bytes is required to be zero + // (see RFC 6455, section 5.2). If the most significant bit is set, + // the resulting payload length will be negative so test for that. + if (payloadLength < 0) { + throw new WsIOException( + new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid"))); + } ((Buffer)inputBuffer).position(inputBuffer.position() + 8); } if (Util.isControl(opCode)) { Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml @@ -491,6 +491,14 @@ </fix> </changelog> </subsection> + <subsection name="WebSocket"> + <changelog> + <fix> + <bug>64563</bug>: Add additional validation of payload length for + WebSocket messages. (markt) + </fix> + </changelog> + </subsection> <subsection name="Other"> <changelog> <fix>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor