httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48719] New: [BUG] mod_proxy_ajp return wrong error message when client cookie is very big
Date Wed, 10 Feb 2010 06:56:45 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48719

           Summary: [BUG] mod_proxy_ajp return wrong error message when
                    client cookie is very big
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_ajp
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: qu-chunguang@necsoft.com.cn


Created an attachment (id=24959)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24959)
test jsp page

1 error in apache-mod_proxy_ajp
1.1 In apache-mod_proxy_ajp-tomcat connection,
when jsp page on tomcat trys to create a very big cookie(about 8000B) to user
explorer, (or just try to read a very big cookie from user explorer),
error occurs.

With the size of cookie changed,
the following error log generated(in apache/logs/error_log):

--
[Tue Feb 09 14:02:40 2010] [error] ajp_msg_get_string(): 
BufferOverflowException 8188 8192
[Tue Feb 09 14:02:40 2010] [error] ajp_unmarshal_response: Null header name
[Tue Feb 09 14:02:40 2010] [error] (120001)APR does not understand this 
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)

--
[Tue Feb 09 12:37:22 2010] [error] ajp_check_msg_header() incoming message 
is too big 8196, max is 8192
[Tue Feb 09 12:37:22 2010] [error] ajp_ilink_receive() received bad header
[Tue Feb 09 12:37:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 12:37:22 2010] [error] (120007)APR does not understand this 
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)

--
[Tue Feb 09 13:42:22 2010] [error] (70014)End of file found: 
ajp_ilink_receive() can't receive header
[Tue Feb 09 13:42:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 13:42:22 2010] [error] (120006)APR does not understand this 
error code: proxy: read response failed from 172.28.14.243:8009 
(172.28.14.243)

And with the size of cookie changed,different error message 
return to user explorer. 
But not describe the truly reason (cookie or url or just ajp_header are out of
limit).

1.2 source check

1.2.1 base source
  + Apache 2.2.4 mod_proxy_ajp
  + Tomcat 5.5.23 connectors/ajp

1.2.2 source extraction
--SEND (apache_tomcat_ajp)--
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_msg.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_link.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_header.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/include/ajp_header.h
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/proxy_ajp.c
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/mod_proxy.c
ap_proxy_ajp_request(){
    ... ...
    ajp_send_header();
    ... ...
}

ajp_send_header(){
    ... ...
    ajp_msg_create();
    ajp_malshal_to_msgb();
    ajp_ilink_send();
    ... ...
}

ajp_msg_create(){
    ... ...
    msg->len=0;
    msg->header_len=4;
    ... ...
}

ajp_malshal_to_msgb(){
    ... ...
    ajp_msg_append_*();    // msg->len += 1/2/4/...
}

ajp_ilink_send(){
    ... ...
    ajp_msg_end();
    ... ...
}

ajp_msg_append_uint8(){
    if((msg->len + 1) >= 8KB)    // <== ERROR: msg->len + 4 
(msg->header_len) + 1 >= 8KB
        // <== fine process for too big error
}

ajp_msg_end(){
    ... ...
    // write prefix 2 bytes to buf[0-1]
    ... ...
    // write len (msg->len - 4) 2 bytes to buf[2-3]
    len = msg->len - 4;        // <== ERROR: msg->len used as save buf used 
length
    ... ...
}

--RECEIVE(apache_mod_proxy_ajp)--
//httpd-2.2.4/modules/proxy/apj_msg.c

ajp_msg_chech_heaher(){
    ... ...
    // get msglen from buf
    if(msglen > 8KB){    // <== ERROR: msglen used as save buf used length
        // output: [Wed Dec 30 14:17:43 2009] [error] ajp_check_msg_header() 
incoming message is too big 8196, max is 8192
        // this message should nerver appear
    }
    ... ...
}

1.3 wrong use of len(in struct ajp_msg)/header_len/msglen(in ajp_header buf).
It seems that these three value has different meaning in describe the
ajp_header. But in two places, it was used in different meaning.
So that when the ajp_header size reached about AJP_MSG_BUFFER_SZ,
error occurs in many places.

2 For many applications' necessory,
we suggest the value of AJP_MSG_BUFFER_SZ up to 16KB.
This value should be a good balance between performance and availability.

3 wrong function name in log output.
apache/modules/proxy/ajp_msg.c:
line: 102 function name error.
line: 113 function name error.

4 test jsp page (in attachment)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message