svn commit: r1837530 - in /tomcat/trunk/java/org/apache/coyote: AbstractProcessor.java AsyncStateMachine.java

[markt]

Author: markt
Date: Mon Aug  6 14:44:23 2018
New Revision: 1837530

URL: http://svn.apache.org/viewvc?rev=1837530&view=rev
Log:
Add some comments for the fix for CVE-2018-8037

Modified:
    tomcat/trunk/java/org/apache/coyote/AbstractProcessor.java
    tomcat/trunk/java/org/apache/coyote/AsyncStateMachine.java

Modified: tomcat/trunk/java/org/apache/coyote/AbstractProcessor.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/AbstractProcessor.java?rev=1837530&r1=1837529&r2=1837530&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/AbstractProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/AbstractProcessor.java Mon Aug  6 
14:44:23 2018
@@ -51,6 +51,15 @@ public abstract class AbstractProcessor
     protected final Adapter adapter;
     protected final AsyncStateMachine asyncStateMachine;
     private volatile long asyncTimeout = -1;
+    /*
+     * Tracks the current async generation when a timeout is dispatched. In the
+     * time it takes for a container thread to be allocated and the timeout
+     * processing to start, it is possible that the application completes this
+     * generation of async processing and starts a new one. If the timeout is
+     * then processed against the new generation, response mix-up can occur.
+     * This field is used to ensure that any timeout event processed is for the
+     * current async generation. This prevents the response mix-up.
+     */
     private volatile long asyncTimeoutGeneration = 0;
     protected final Request request;
     protected final Response response;

Modified: tomcat/trunk/java/org/apache/coyote/AsyncStateMachine.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/AsyncStateMachine.java?rev=1837530&r1=1837529&r2=1837530&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/AsyncStateMachine.java [UTF-8] 
(original)
+++ tomcat/trunk/java/org/apache/coyote/AsyncStateMachine.java [UTF-8] Mon Aug  
6 14:44:23 2018
@@ -190,6 +190,14 @@ class AsyncStateMachine {
 
     private volatile AsyncState state = AsyncState.DISPATCHED;
     private volatile long lastAsyncStart = 0;
+    /*
+     * Tracks the current generation of async processing for this state 
machine.
+     * The generation is incremented every time async processing is started. 
The
+     * primary purpose of this is to enable Tomcat to detect and prevent
+     * attempts to process an event for a previous generation with the current
+     * generation as processing such an event usually ends badly:
+     * e.g. CVE-2018-8037.
+     */
     private final AtomicLong generation = new AtomicLong(0);
     // Need this to fire listener on complete
     private AsyncContextCallback asyncCtxt = null;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org