Note that in all cases, the minimal number of bytes MUST be used to encode the length, for example, the length of a 124-byte-long string can't be encoded as the sequence 126, 0, 124.
Implementations must reject:
Lengths < 126 encoded using 16 bits or 64 bits
Lengths < 65536 encoded using 64 bits
Also:
If 127, the following 8 bytes interpreted as a 64-bit unsigned integer (the most significant bit MUST be 0) are the payload length.
and:
frame-payload-length-63 = %x0000000000000000-7FFFFFFFFFFFFFFF
; 64 bits in length
So any frames with a payload length >= 0x80000000_00000000 must be rejected.
From the RFC: https://tools.ietf.org/html/rfc6455
Implementations must reject:
Also:
and:
So any frames with a payload length >= 0x80000000_00000000 must be rejected.