tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oswaldo Olivo <ozzy...@gmail.com>
Subject Re: Potential IndexOutBounds in AbstractServletInputStream::readLine() ?
Date Fri, 06 Mar 2015 23:54:10 GMT
I see.
Thank you!
-- Oswaldo.

On Wed, Mar 4, 2015 at 4:21 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:

> > From: Oswaldo Olivo [mailto:ozzyo86@gmail.com]
> > Subject: Potential IndexOutBounds in
> AbstractServletInputStream::readLine() ?
>
> > I was wondering if there is an unintentional potential index of out
> bounds
> > exception in AbstractServletInputStream::readLine() ?
>
> It's not unintentional.
>
> > It seems that "len" is partially sanitized, but the offset parameter
> 'off'
> > is not.
>
> As the spec requires.
>
> > In particular, 'off' could be allowed to be outside of 'buf', causing an
> > exception while executing the statement b[off++]=(byte)c;
>
> Which is an error by the caller, resulting in an exception.
>
> > One could change the loop condition to something like
> > "((c=readInternal())!= -1 && 0<=off && off<b.length)"
>
> For what purpose?  The return value of -1 specifically means there is no
> more data to be read.
>
> > I believe that the implementation of readLine() in
> javax.ServletInputStream
> > handles these border cases by returning -1 whenver an access outside of
> the
> > array is attempted, so it doesn't suffer from this problem.
>
> Presumably you meant javax.servlet.ServletInputStream, not what you
> wrote.  The readLine() implementation for that class certainly does not do
> what you describe, nor should it.  Read the servlet spec and JavaDoc.
>
> > Is this an issue that needs to be changed or is it the intended behavior
> to
> > leave the responsibility of sanitizing the parameters to the caller ?
>
> Nothing in the spec indicates that the current behavior is inappropriate.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message