#17 - Validate close frame body.

Author: Tratcher

src/Microsoft.AspNet.WebSockets.Protocol/CommonWebSocket.cs

@@ -414,7 +414,19 @@ private async Task<WebSocketReceiveResult> ProcessCloseFrameAsync(CancellationTo
                     Utilities.MaskInPlace(_frameInProgress.MaskKey, new ArraySegment<byte>(_receiveBuffer, _receiveBufferOffset, (int)_frameBytesRemaining));
                 }
                 _closeStatus = (WebSocketCloseStatus)((_receiveBuffer[_receiveBufferOffset] << 8) | _receiveBuffer[_receiveBufferOffset + 1]);
-                _closeStatusDescription = Encoding.UTF8.GetString(_receiveBuffer, _receiveBufferOffset + 2, (int)_frameBytesRemaining - 2) ?? string.Empty;
+                try
+                {
+                    var encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+                    _closeStatusDescription = encoding.GetString(_receiveBuffer, _receiveBufferOffset + 2, (int)_frameBytesRemaining - 2) ?? string.Empty;
+                }
+                catch (DecoderFallbackException)
+                {
+                    await SendErrorAbortAndThrow(WebSocketCloseStatus.ProtocolError, "Invalid UTF-8 close message.", cancellationToken);
+                }
+            }
+            else if (_frameBytesRemaining == 1)
+            {
+                await SendErrorAbortAndThrow(WebSocketCloseStatus.ProtocolError, "Invalid close body.", cancellationToken);
             }
             else
             {

src/Microsoft.AspNet.WebSockets.Protocol/project.json

@@ -14,6 +14,7 @@
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
                 "System.Threading": "4.0.0-beta-*",
                 "System.Threading.Tasks": "4.0.10-beta-*",
+                "System.Text.Encoding.Extensions": "4.0.10-beta-*",
                 "System.Threading.Timer": "4.0.0-beta-*"
             }
         }