fix: enforce max frame size in ReadFrame

[mccutchen]

We have a current potential security/DoS issue where we will gladly allocate a slice for an attacker-controlled payload size.

This addresses https://github.com/mccutchen/websocket/security/code-scanning/1

[codecov]

Codecov Report

Attention: Patch coverage is 84.61538% with 2 lines in your changes missing coverage. Please review.

Project coverage is 79.53%. Comparing base (19a4a18) to head (6a3002a).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
proto.go	83.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #24      +/-   ##
==========================================
+ Coverage   79.39%   79.53%   +0.14%     
==========================================
  Files           3        3              
  Lines         427      430       +3     
==========================================
+ Hits          339      342       +3     
  Misses         64       64              
  Partials       24       24              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

benchstats: 0b6bcf4...6a3002a

View full benchmark output for 6a3002a on the workflow summary.

goos: linux
goarch: amd64
pkg: github.com/mccutchen/websocket
cpu: AMD EPYC 7763 64-Core Processor                
                       │ bench-results-main.txt │       bench-commit-6a3002a.txt       │
                       │         sec/op         │    sec/op     vs base                │
ReadFrame/1KiB-4                    1.018µ ± 1%    1.091µ ± 1%   +7.17% (p=0.001 n=10)
ReadFrame/1MiB-4                    855.6µ ± 1%   1010.0µ ± 1%  +18.04% (p=0.000 n=10)
ReadFrame/8MiB-4                    6.429m ± 1%    7.679m ± 1%  +19.45% (p=0.000 n=10)
ReadFrame/16MiB-4                   13.05m ± 1%    15.30m ± 0%  +17.27% (p=0.000 n=10)
ReadMessage/1MiB/1-4                943.3µ ± 0%   1125.5µ ± 1%  +19.32% (p=0.000 n=10)
ReadMessage/8MiB/1-4                7.185m ± 1%    8.535m ± 1%  +18.78% (p=0.000 n=10)
ReadMessage/16MiB/1-4               14.59m ± 1%    17.02m ± 1%  +16.63% (p=0.000 n=10)
ReadMessage/1MiB/4-4                1.413m ± 6%    1.624m ± 2%  +14.92% (p=0.000 n=10)
ReadMessage/8MiB/4-4                8.912m ± 4%   11.460m ± 3%  +28.60% (p=0.000 n=10)
ReadMessage/16MiB/4-4               18.08m ± 4%    20.75m ± 2%  +14.79% (p=0.000 n=10)
ReadMessage/1MiB/16-4               2.310m ± 6%    2.072m ± 0%  -10.27% (p=0.000 n=10)
ReadMessage/8MiB/16-4               15.97m ± 5%    15.33m ± 8%        ~ (p=0.190 n=10)
ReadMessage/16MiB/16-4              24.48m ± 5%    24.78m ± 3%        ~ (p=0.315 n=10)
geomean                             2.984m         3.340m       +11.94%

                       │ bench-results-main.txt │       bench-commit-6a3002a.txt        │
                       │          B/op          │     B/op      vs base                 │
ReadFrame/1KiB-4                   1.055Ki ± 0%   1.055Ki ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/1MiB-4                   1.000Mi ± 0%   1.000Mi ± 0%  +0.00% (p=0.000 n=10)
ReadFrame/8MiB-4                   8.000Mi ± 0%   8.000Mi ± 0%  +0.00% (p=0.000 n=10)
ReadFrame/16MiB-4                  16.00Mi ± 0%   16.00Mi ± 0%  +0.00% (p=0.002 n=10)
ReadMessage/1MiB/1-4               1.000Mi ± 0%   1.000Mi ± 0%  +0.00% (p=0.000 n=10)
ReadMessage/8MiB/1-4               8.000Mi ± 0%   8.000Mi ± 0%  +0.00% (p=0.000 n=10)
ReadMessage/16MiB/1-4              16.00Mi ± 0%   16.00Mi ± 0%  +0.00% (p=0.000 n=10)
ReadMessage/1MiB/4-4               3.602Mi ± 0%   3.602Mi ± 0%  +0.00% (p=0.000 n=10)
ReadMessage/8MiB/4-4               28.57Mi ± 0%   28.57Mi ± 0%  +0.00% (p=0.001 n=10)
ReadMessage/16MiB/4-4              57.09Mi ± 0%   57.09Mi ± 0%       ~ (p=0.068 n=10)
ReadMessage/1MiB/16-4              5.407Mi ± 0%   5.407Mi ± 0%  -0.00% (p=0.000 n=10)
ReadMessage/8MiB/16-4              47.22Mi ± 0%   47.22Mi ± 0%       ~ (p=0.127 n=10)
ReadMessage/16MiB/16-4             93.81Mi ± 0%   93.81Mi ± 0%       ~ (p=0.424 n=10)
geomean                            5.263Mi        5.263Mi       +0.00%
¹ all samples are equal

                       │ bench-results-main.txt │      bench-commit-6a3002a.txt       │
                       │       allocs/op        │ allocs/op   vs base                 │
ReadFrame/1KiB-4                     5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/1MiB-4                     5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/8MiB-4                     5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/16MiB-4                    5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/1MiB/1-4                 6.000 ± 0%   6.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/8MiB/1-4                 6.000 ± 0%   6.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/16MiB/1-4                6.000 ± 0%   6.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/1MiB/4-4                 24.00 ± 0%   24.00 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/8MiB/4-4                 24.00 ± 0%   24.00 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/16MiB/4-4                24.00 ± 0%   24.00 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/1MiB/16-4                90.00 ± 0%   90.00 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/8MiB/16-4                90.00 ± 0%   90.00 ± 0%       ~ (p=1.000 n=10) ¹
ReadMessage/16MiB/16-4               90.00 ± 0%   90.00 ± 0%       ~ (p=1.000 n=10) ¹
geomean                              14.59        14.59       +0.00%
¹ all samples are equal

[mccutchen]

(Code coverage is complaining because the payloadLength -> payloadLen variable rename touches some error cases that were already not covered. That's not actually a regression in coverage here.)