QUERY · ISSUE
websocket crash on corrupt data
bug
Port, board and/or hardware
unix port, coverage variant, linux x86_64
MicroPython version
MicroPython v1.26.0-preview.521.g658a2e3dbd on 2025-08-02; linux [GCC 12.2.0] version
Reproduction
Run the following code:
import io
import websocket
# put raw data in the stream and do a websocket read
def ws_read(msg, sz):
ws = websocket.websocket(io.BytesIO(msg))
return ws.read(sz)
# a corrupt frame
print(ws_read(b"aa", 2))
Expected behaviour
An exception is raised because the data is not valid websocket data
Observed behaviour
micropython terminates with an assertion error:
micropython: ../../extmod/modwebsocket.c:97: websocket_read: Assertion `self->buf[0] & 0x80' failed.
Additional Information
Found with fuzzer, minimized by me
Code of Conduct
Yes, I agree
CANDIDATE · PULL REQUEST
extmod/modwebsocket: Replace assertion with validation for corrupt frames
Fixes #17818
Problem:
When websocket receives corrupt/non-websocket data, frame parsing can enter FRAME_OPT state with invalid buf_pos value. Code has assertion that buf_pos must be 2 or 6, which crashes on corrupt input instead of reporting error.
Solution:
- Replace assertion with proper validation check
- Raise
ValueErrorwith "invalid websocket frame" message when frame structure is malformed - Matches expected behavior for network protocol parsing
Impact:
- Prevents crashes from malformed network data
- Provides proper error handling for invalid input
- Improves robustness of websocket implementation