File tomcat-9.0-CVE-2020-13935.patch of Package tomcat.21643

From 40fa74c74822711ab878079d0a69f7357926723d Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 29 Jun 2020 14:02:59 +0100
Subject: [PATCH] Fix BZ 64563 - additional payload length validation

https://bz.apache.org/bugzilla/show_bug.cgi?id=64563
---
 java/org/apache/tomcat/websocket/LocalStrings.properties | 1 +
 java/org/apache/tomcat/websocket/WsFrameBase.java        | 7 +++++++
 webapps/docs/changelog.xml                               | 8 ++++++++
 3 files changed, 16 insertions(+)

Index: apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/LocalStrings.properties
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/tomcat/websocket/LocalStrings.properties
+++ apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/LocalStrings.properties
@@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was
 wsFrame.notMasked=The client frame was not masked but all client frames must be masked
 wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
 wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
 wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
 wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
 wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
Index: apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/WsFrameBase.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/tomcat/websocket/WsFrameBase.java
+++ apache-tomcat-9.0.36-src/java/org/apache/tomcat/websocket/WsFrameBase.java
@@ -262,6 +262,13 @@ public abstract class WsFrameBase {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             ((Buffer)inputBuffer).position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -491,6 +491,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="WebSocket">
+    <changelog>
+      <fix>
+        <bug>64563</bug>: Add additional validation of payload length for
+        WebSocket messages. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <fix>