Return-Path: 
 <dev-return-119186-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F233D79E2
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Thu, 25 Aug 2011 10:41:32 +0000 (UTC)
Received: (qmail 56983 invoked by uid 500); 25 Aug 2011 10:41:30 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 56734 invoked by uid 500); 25 Aug 2011 10:41:14 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 56708 invoked by uid 99); 25 Aug 2011 10:41:11 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Aug 2011 10:41:11 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Aug 2011 10:41:10 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id EC96F2388847
	for <dev@tomcat.apache.org>; Thu, 25 Aug 2011 10:40:49 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1161487 - in /tomcat/tc7.0.x/trunk: ./
 java/org/apache/coyote/ajp/AjpMessage.java
 java/org/apache/coyote/ajp/LocalStrings.properties webapps/docs/changelog.xml
Date: Thu, 25 Aug 2011 10:40:49 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20110825104049.EC96F2388847@eris.apache.org>

Author: markt
Date: Thu Aug 25 10:40:49 2011
New Revision: 1161487

URL: http://svn.apache.org/viewvc?rev=1161487&view=rev
Log:
Detect incomplete AJP messages and reject the associated request if one is found

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpMessage.java
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/LocalStrings.properties
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Aug 25 10:40:49 2011
@@ -1 +1 @@
-/tomcat/trunk:1156171,1156276,1156304,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339
+/tomcat/trunk:1156171,1156276,1156304,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpMessage.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpMessage.java?rev=1161487&r1=1161486&r2=1161487&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpMessage.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpMessage.java Thu Aug 25 10:40:49 2011
@@ -291,11 +291,13 @@ public class AjpMessage {
     public int getInt() {
         int b1 = buf[pos++] & 0xFF;
         int b2 = buf[pos++] & 0xFF;
+        validatePos(pos);
         return (b1<<8) + b2;
     }
 
 
     public int peekInt() {
+        validatePos(pos + 2);
         int b1 = buf[pos] & 0xFF;
         int b2 = buf[pos+1] & 0xFF;
         return (b1<<8) + b2;
@@ -304,6 +306,7 @@ public class AjpMessage {
     
     public byte getByte() {
         byte res = buf[pos++];
+        validatePos(pos);
         return res;
     }
 
@@ -314,6 +317,7 @@ public class AjpMessage {
             mb.recycle();
             return;
         }
+        validatePos(pos + length + 1);
         mb.setBytes(buf, pos, length);
         mb.getCharChunk().recycle(); // not valid anymore
         pos += length;
@@ -335,6 +339,7 @@ public class AjpMessage {
         b1 |= (buf[pos++] & 0xFF);
         b1 <<=8;
         b1 |= (buf[pos++] & 0xFF);
+        validatePos(pos);
         return  b1;
     }
 
@@ -393,6 +398,13 @@ public class AjpMessage {
     }
 
 
+    private void validatePos(int posToTest) {
+        if (posToTest > len + 4) {
+            // Trying to read data beyond the end of the AJP message 
+            throw new ArrayIndexOutOfBoundsException(sm.getString(
+                    "ajpMessage.invalidPos", Integer.valueOf(pos)));
+        }
+    }
     // ------------------------------------------------------ Protected Methods
 
 

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/LocalStrings.properties?rev=1161487&r1=1161486&r2=1161487&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/LocalStrings.properties Thu Aug 25 10:40:49 2011
@@ -46,4 +46,5 @@ ajpmessage.overflow=Overflow error for b
 ajpmessage.read=Requested {0} bytes exceeds message available data
 ajpmessage.invalid=Invalid message received with signature {0}
 ajpmessage.invalidLength=Invalid message received with length {0}
+ajpMessage.invalidPos=Requested read of bytes at position [{0}] which is beyond then end of the AJP message
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1161487&r1=1161486&r2=1161487&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Aug 25 10:40:49 2011
@@ -118,6 +118,10 @@
         Code clean-up and re-factoring to reduce duplicate code in the AJP
         processor implementations. (markt) 
       </scode>
+      <add>
+        Detect incomplete AJP messages and reject the associated request if one
+        is found. (markt) 
+      </add>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org