Fix websocket 64-bit length overflow

Signed-off-by: Matteo Collina <hello@matteocollina.com>
(cherry picked from commit 84235c6)

Author: mcollina

lib/web/websocket/receiver.js

@@ -189,21 +189,20 @@ class ByteParser extends Writable {
 
         const buffer = this.consume(8)
         const upper = buffer.readUInt32BE(0)
+        const lower = buffer.readUInt32BE(4)
 
         // 2^31 is the maximum bytes an arraybuffer can contain
         // on 32-bit systems. Although, on 64-bit systems, this is
         // 2^53-1 bytes.
         // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length
         // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275
         // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e
-        if (upper > 2 ** 31 - 1) {
+        if (upper !== 0 || lower > 2 ** 31 - 1) {
           failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.')
           return
         }
 
-        const lower = buffer.readUInt32BE(4)
-
-        this.#info.payloadLength = (upper << 8) + lower
+        this.#info.payloadLength = lower
         this.#state = parserStates.READ_DATA
       } else if (this.#state === parserStates.READ_DATA) {
         if (this.#byteOffset < this.#info.payloadLength) {

test/websocket/receive.js

@@ -28,6 +28,29 @@ test('Receiving a frame with a payload length > 2^31-1 bytes', () => {
   })
 })
 
+test('Receiving a 64-bit payload length with a non-zero upper word', () => {
+  const server = new WebSocketServer({ port: 0 })
+
+  server.on('connection', (ws) => {
+    const socket = ws._socket
+
+    socket.write(Buffer.from([0x82, 0x7F, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01]))
+  })
+
+  const ws = new WebSocket(`ws://localhost:${server.address().port}`)
+
+  return new Promise((resolve, reject) => {
+    ws.onmessage = reject
+
+    ws.addEventListener('error', (event) => {
+      assert.ok(event.error instanceof Error)
+      ws.close()
+      server.close()
+      resolve()
+    })
+  })
+})
+
 test('Receiving an ArrayBuffer', () => {
   const server = new WebSocketServer({ port: 0 })
 

test/websocket/receiver-unit.js

@@ -0,0 +1,40 @@
+'use strict'
+
+const { test } = require('node:test')
+const { ByteParser } = require('../../lib/web/websocket/receiver')
+const { states } = require('../../lib/web/websocket/constants')
+
+const invalidFrame = Buffer.from([0x82, 0x7F, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01])
+
+test('ByteParser rejects 64-bit payload lengths with a non-zero upper word', (t) => {
+  const calls = {
+    abort: 0,
+    close: 0
+  }
+
+  const handler = {
+    readyState: states.CONNECTING,
+    controller: {
+      abort: () => {
+        calls.abort += 1
+      }
+    },
+    onSocketClose: () => {
+      calls.close += 1
+    },
+    closeState: new Set()
+  }
+
+  const parser = new ByteParser(handler)
+
+  parser.write(invalidFrame)
+
+  return new Promise((resolve) => {
+    setImmediate(() => {
+      t.assert.strictEqual(calls.abort, 1)
+      t.assert.strictEqual(calls.close, 1)
+      parser.destroy()
+      resolve()
+    })
+  })
+})