extmod/modwebsocket: Enable split frames and test them.

This fixes several assertion errors that were found in fuzz testing, for
unimplemented portions of the websocket spec.  The assertions were either
turned into Python exceptions, or the missing functionality was
implemented.

Split frames are now enabled and work, enabling reception of frames up to
64kB (assuming they are encoded with a 16-bit size field).

Frames with a 64-bit size fields remain unsupported but no longer result in
an assertion error.  Instead, Initial reception of such a frame will result
in OSError(EIO) and subsequent operations on the same websocket will fail
because framing has been lost.

Transmitting frames larger than 64kB is unsupported.  Attempting to
transmit such a frame will result in OSError(ENOBUFS).  Subsequent
operations on the websocket are possible.

Signed-off-by: Jeff Epler <jepler@gmail.com>

extmod/modwebsocket.c

@@ -76,6 +76,7 @@ static mp_obj_t websocket_make_new(const mp_obj_type_t *type, size_t n_args, siz
 
 static mp_uint_t websocket_read(mp_obj_t self_in, void *buf, mp_uint_t size, int *errcode) {
     mp_obj_websocket_t *self = MP_OBJ_TO_PTR(self_in);
+
     const mp_stream_p_t *stream_p = mp_get_stream(self->sock);
     while (1) {
         if (self->to_recv != 0) {
@@ -93,9 +94,6 @@ static mp_uint_t websocket_read(mp_obj_t self_in, void *buf, mp_uint_t size, int
 
         switch (self->state) {
             case FRAME_HEADER: {
-                // TODO: Split frame handling below is untested so far, so conservatively disable it
-                assert(self->buf[0] & 0x80);
-
                 // "Control frames MAY be injected in the middle of a fragmented message."
                 // So, they must be processed before data frames (and not alter
                 // self->ws_flags)
@@ -120,14 +118,15 @@ static mp_uint_t websocket_read(mp_obj_t self_in, void *buf, mp_uint_t size, int
                     // Msg size is next 2 bytes
                     to_recv += 2;
                 } else if (sz == 127) {
-                    // Msg size is next 8 bytes
-                    assert(0);
+                    // Msg size is next 8 bytes (unsupported, no way to recover)
+                    mp_stream_close(self->sock);
+                    *errcode = MP_EIO;
+                    return MP_STREAM_ERROR;
                 }
                 if (self->buf[1] & 0x80) {
                     // Next 4 bytes is mask
                     to_recv += 4;
                 }
-
                 self->buf_pos = 0;
                 self->to_recv = to_recv;
                 self->msg_sz = sz; // May be overridden by FRAME_OPT
@@ -146,6 +145,8 @@ static mp_uint_t websocket_read(mp_obj_t self_in, void *buf, mp_uint_t size, int
             case FRAME_OPT: {
                 if ((self->buf_pos & 3) == 2) {
                     // First two bytes are message length
+                    // First two bytes are message length. Technically the size must be at least 126 per RFC6455
+                    // but MicroPython skips checking that.
                     self->msg_sz = (self->buf[0] << 8) | self->buf[1];
                 }
                 if (self->buf_pos >= 4) {
@@ -218,9 +219,16 @@ static mp_uint_t websocket_read(mp_obj_t self_in, void *buf, mp_uint_t size, int
 
 static mp_uint_t websocket_write(mp_obj_t self_in, const void *buf, mp_uint_t size, int *errcode) {
     mp_obj_websocket_t *self = MP_OBJ_TO_PTR(self_in);
-    assert(size < 0x10000);
+    if (size >= 0x10000) {
+        *errcode = MP_ENOBUFS;
+        return MP_STREAM_ERROR;
+    }
     byte header[4] = {0x80 | (self->opts & FRAME_OPCODE_MASK)};
     int hdr_sz;
+    // "Note that in all cases, the minimal number of bytes MUST be used to
+    // encode the length, for example, the length of a 124-byte-long string
+    // can't be encoded as the sequence 126, 0, 124."
+    //   -- https://www.rfc-editor.org/rfc/rfc6455.html
     if (size < 126) {
         header[1] = size;
         hdr_sz = 2;

tests/extmod/websocket_basic.py

@@ -13,6 +13,13 @@ def ws_read(msg, sz):
     return ws.read(sz)
 
 
+# put raw data in the stream and do a series of websocket read
+def ws_readn(msg, *args):
+    ws = websocket.websocket(io.BytesIO(msg))
+    for sz in args:
+        yield ws.read(sz)
+
+
 # do a websocket write and then return the raw data from the stream
 def ws_write(msg, sz):
     s = io.BytesIO()
@@ -24,18 +31,28 @@ def ws_write(msg, sz):
 
 # basic frame
 print(ws_read(b"\x81\x04ping", 4))
-print(ws_read(b"\x80\x04ping", 4))  # FRAME_CONT
 print(ws_write(b"pong", 6))
 
-# split frames are not supported
-# print(ws_read(b"\x01\x04ping", 4))
+# split frames and irregular size reads
+for s in ws_readn(b"\x01\x04ping\x00\x04Ping\x80\x04PING", 6, 4, 2, 2):
+    print(s)
 
 # extended payloads
 print(ws_read(b"\x81~\x00\x80" + b"ping" * 32, 128))
 print(ws_write(b"pong" * 32, 132))
 
-# mask (returned data will be 'mask' ^ 'mask')
-print(ws_read(b"\x81\x84maskmask", 4))
+# 64-bit payload size, unsupported by MicroPython implementation. Framing is lost.
+msg = b"\x81\x7f\x00\x00\x00\x00\x00\x00\x00\x80" + b"ping" * 32
+ws = websocket.websocket(io.BytesIO(msg))
+try:
+    print(ws.read(1))
+except OSError as e:
+    print("ioctl: EIO:", e.errno == errno.EIO)
+
+# mask (returned data will be 'maskmask' ^ 'maskMASK')
+print(ws_read(b"\x81\x88maskmaskMASK", 8))
+# mask w/2-byte payload len (returned data will be 'maskmask' ^ 'maskMASK')
+print(ws_read(b"\x81\xfe\x00\x08maskmaskMASK", 8))
 
 # close control frame
 s = io.BytesIO(b"\x88\x00")  # FRAME_CLOSE

tests/extmod/websocket_basic.py.exp

@@ -1,8 +1,13 @@
 b'ping'
-b'ping'
 b'\x81\x04pong'
+b'pingPi'
+b'ngPI'
+b'NG'
+b''
 b'pingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingpingping'
 b'\x81~\x00\x80pongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpongpong'
+ioctl: EIO: True
+b'\x00\x00\x00\x00    '
 b'\x00\x00\x00\x00    '
 b''
 b'\x88\x00'