Author: markt
Date: Thu Aug 25 10:38:32 2011
New Revision: 1161486
URL: http://svn.apache.org/viewvc?rev=1161486&view=rev
Log:
Detect incomplete AJP messages and reject the associated request if one is found
Modified:
tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java
tomcat/trunk/java/org/apache/coyote/ajp/LocalStrings.properties
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java?rev=1161486&r1=1161485&r2=1161486&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpMessage.java Thu Aug 25 10:38:32
2011
@@ -291,11 +291,13 @@ public class AjpMessage {
public int getInt() {
int b1 = buf[pos++] & 0xFF;
int b2 = buf[pos++] & 0xFF;
+ validatePos(pos);
return (b1<<8) + b2;
}
public int peekInt() {
+ validatePos(pos + 2);
int b1 = buf[pos] & 0xFF;
int b2 = buf[pos+1] & 0xFF;
return (b1<<8) + b2;
@@ -304,6 +306,7 @@ public class AjpMessage {
public byte getByte() {
byte res = buf[pos++];
+ validatePos(pos);
return res;
}
@@ -314,6 +317,7 @@ public class AjpMessage {
mb.recycle();
return;
}
+ validatePos(pos + length + 1);
mb.setBytes(buf, pos, length);
mb.getCharChunk().recycle(); // not valid anymore
pos += length;
@@ -335,6 +339,7 @@ public class AjpMessage {
b1 |= (buf[pos++] & 0xFF);
b1 <<=8;
b1 |= (buf[pos++] & 0xFF);
+ validatePos(pos);
return b1;
}
@@ -389,6 +394,13 @@ public class AjpMessage {
}
+ private void validatePos(int posToTest) {
+ if (posToTest > len + 4) {
+ // Trying to read data beyond the end of the AJP message
+ throw new ArrayIndexOutOfBoundsException(sm.getString(
+ "ajpMessage.invalidPos", Integer.valueOf(pos)));
+ }
+ }
// ------------------------------------------------------ Protected Methods
Modified: tomcat/trunk/java/org/apache/coyote/ajp/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/LocalStrings.properties?rev=1161486&r1=1161485&r2=1161486&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/LocalStrings.properties Thu Aug 25
10:38:32 2011
@@ -46,4 +46,5 @@ ajpmessage.overflow=Overflow error for b
ajpmessage.read=Requested {0} bytes exceeds message available data
ajpmessage.invalid=Invalid message received with signature {0}
ajpmessage.invalidLength=Invalid message received with length {0}
+ajpMessage.invalidPos=Requested read of bytes at position [{0}] which is
beyond then end of the AJP message
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
