[Bug 59089] New: ArrayIndexOutOfBoundsException if header name contains byte values > 127

Mon, 29 Feb 2016 05:44:44 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59089

            Bug ID: 59089
           Summary: ArrayIndexOutOfBoundsException if header name contains
                    byte values > 127
           Product: Tomcat 8
           Version: 8.0.32
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: apache-bugzi...@michael-kaufmann.ch

If a header name contains a byte value > 127, Tomcat 8 throws this exception:

29-Feb-2016 09:42:47.833 INFO [http-nio-8080-exec-3]
org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
request header
 Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
 java.lang.ArrayIndexOutOfBoundsException: -61
    at
org.apache.coyote.http11.AbstractNioInputBuffer.parseHeader(AbstractNioInputBuffer.java:474)
    at
org.apache.coyote.http11.AbstractNioInputBuffer.parseHeaders(AbstractNioInputBuffer.java:381)
    at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1024)
    at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
    at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
    at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)


The corresponding source code is:

    } else if (!HTTP_TOKEN_CHAR[chr]) {
        // If a non-token header is detected, skip the line and
        // ignore the header
        headerData.lastSignificantChar = pos;
        return skipLine();
    }


"chr" may be negative (-128 ... 127), so this is a possible bugfix:
    } else if (chr < 0 || !HTTP_TOKEN_CHAR[chr]) {


This bug is present in 3 source files:
- AbstractNioInputBuffer.java
- InternalAprInputBuffer.java
- InternalInputBuffer.java

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to