My lil' agent friend and I discovered what I suspect is a bug in cow_ws. We got a "tuple access out of bounds" error in production:
Investigating this with Claude (because of how unfamiliar I am with the Cowboy codebase) seems to confirm this is still happening on main. It seems like this is the UTF-8 validation of an inbound WebSocket text/close frame. The relevant code:
%% line 680 — has a guard:
validate_s0(<<C,R/bits>>) when C >= 128 ->
Class = element(C - 127, utf8_class()), %% C>=128 ⇒ index 1..128, safe
%% line 695 — NO guard:
validate_s2(<<C,R/bits>>) ->
Class = element(C - 127, utf8_class()), %% C<128 ⇒ index <= 0 ⇒ CRASH
This is what Claude had to say:
utf8_class() is a 129-element tuple, so element/2 needs an index ≥ 1. States validate_s2–validate_s8 are entered mid multi-byte sequence and expect a continuation byte (C >= 128). If a client sends a malformed sequence — a multi-byte lead byte followed by an ASCII byte, e.g. 0xC2 0x41 — then C - 127 <= 0, and element/2 raises ArgumentError: 1st argument: out of range instead of returning 1 (invalid encoding → a clean 1007 close). validate_s0 got the when C >= 128 guard; s2–s8 did not.
Claude says this was introduced in #141.
Versions
- Cowboy: 2.14.2
- Cowlib: 2.16.0
Note
I’m sorry for the heavily-AI-aided bug report. I don't know much about cowlib or cowboy's internals, but I figured it would still be better to report this since this can basically allow anyone to trigger crashes in WS-handling processes.
My lil' agent friend and I discovered what I suspect is a bug in
cow_ws. We got a "tuple access out of bounds" error in production:Investigating this with Claude (because of how unfamiliar I am with the Cowboy codebase) seems to confirm this is still happening on
main. It seems like this is the UTF-8 validation of an inbound WebSocket text/close frame. The relevant code:This is what Claude had to say:
Claude says this was introduced in #141.
Versions
Note
I’m sorry for the heavily-AI-aided bug report. I don't know much about cowlib or cowboy's internals, but I figured it would still be better to report this since this can basically allow anyone to trigger crashes in WS-handling processes.