Author: mturk
Date: Thu Feb 18 16:44:57 2010
New Revision: 911481
URL: http://svn.apache.org/viewvc?rev=911481&view=rev
Log:
Make sure we favor the values from AjpMessage.processHeader. If the signature
is invalid len can be any random number in that case
Modified:
tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=911481&r1=911480&r2=911481&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Thu Feb 18
16:44:57 2010
@@ -1112,8 +1112,10 @@
first = false;
bodyMessage.reset();
- readMessage(bodyMessage, false, false);
-
+ if (!readMessage(bodyMessage, false, false)) {
+ // Invalid message
+ return false;
+ }
// No data received.
if (bodyMessage.getLen() == 0) {
// just the header
@@ -1182,11 +1184,21 @@
read(headerLength);
}
inputBuffer.get(message.getBuffer(), 0, headerLength);
- message.processHeader();
- read(message.getLen());
- inputBuffer.get(message.getBuffer(), headerLength, message.getLen());
-
- return true;
+ int messageLength = message.processHeader();
+ if (messageLength < 0) {
+ // Invalid AJP header signature
+ // TODO: Throw some exception and close the connection to frontend.
+ return false;
+ }
+ else if (messageLength == 0) {
+ // Zero length message.
+ return true;
+ }
+ else {
+ read(messageLength);
+ inputBuffer.get(message.getBuffer(), headerLength, messageLength);
+ return true;
+ }
}
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=911481&r1=911480&r2=911481&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Thu Feb 18
16:44:57 2010
@@ -1062,8 +1062,10 @@
first = false;
bodyMessage.reset();
- readMessage(bodyMessage);
-
+ if (!readMessage(bodyMessage)) {
+ // Invalid message
+ return false;
+ }
// No data received.
if (bodyMessage.getLen() == 0) {
// just the header
@@ -1119,14 +1121,24 @@
throws IOException {
byte[] buf = message.getBuffer();
+ int headerLength = message.getHeaderLength();
- read(buf, 0, message.getHeaderLength());
-
- message.processHeader();
- read(buf, message.getHeaderLength(), message.getLen());
-
- return true;
+ read(buf, 0, headerLength);
+ int messageLength = message.processHeader();
+ if (messageLength < 0) {
+ // Invalid AJP header signature
+ // TODO: Throw some exception and close the connection to frontend.
+ return false;
+ }
+ else if (messageLength == 0) {
+ // Zero length message.
+ return true;
+ }
+ else {
+ read(buf, headerLength, messageLength);
+ return true;
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
