You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@apache.org on 2001/08/21 20:51:52 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
craigmcc 01/08/21 11:51:52
Modified: catalina/src/share/org/apache/catalina/core
StandardServer.java
Log:
Fix for a DoS attack against the shutdown port, that could cause an "out
of memory" exception by sending a continuous stream of characters. Now,
Tomcat will only listen for enough characters to match or not-match the
required password, then it shuts the port.
PR: Bugzilla #3210
Submitted by: Mike Price <mi...@foundstone.com>
Revision Changes Path
1.8 +8 -6 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java
Index: StandardServer.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- StandardServer.java 2001/07/22 20:25:08 1.7
+++ StandardServer.java 2001/08/21 18:51:52 1.8
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v 1.7 2001/07/22 20:25:08 pier Exp $
- * $Revision: 1.7 $
- * $Date: 2001/07/22 20:25:08 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v 1.8 2001/08/21 18:51:52 craigmcc Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/08/21 18:51:52 $
*
* ====================================================================
*
@@ -87,7 +87,7 @@
* (but not required) when deploying and starting Catalina.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.7 $ $Date: 2001/07/22 20:25:08 $
+ * @version $Revision: 1.8 $ $Date: 2001/08/21 18:51:52 $
*/
public final class StandardServer
@@ -289,9 +289,10 @@
continue;
}
- // Read a line of characters from the socket
+ // Read a set of characters from the socket
StringBuffer command = new StringBuffer();
- while (true) {
+ int expected = shutdown.length();
+ while (expected > 0) {
int ch = -1;
try {
ch = stream.read();
@@ -303,6 +304,7 @@
if (ch < 32) // Control character or EOF terminates loop
break;
command.append((char) ch);
+ expected--;
}
// Close the socket now that we are done with it
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core
StandardServer.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 21 Aug 2001, Justin Erenkrantz wrote:
> On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > craigmcc 01/08/21 11:51:52
> >
> > Modified: catalina/src/share/org/apache/catalina/core
> > StandardServer.java
> > Log:
> > Fix for a DoS attack against the shutdown port, that could cause an "out
> > of memory" exception by sending a continuous stream of characters. Now,
> > Tomcat will only listen for enough characters to match or not-match the
> > required password, then it shuts the port.
>
> Now I'll know exactly how long the shutdown password is. =-) -- justin
>
>
True ... that will be fixed in a second, along with another problem in
this code (it doesn't restrict connects to the local server).
Craig
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
"Craig R. McClanahan" wrote:
>
> On Tue, 21 Aug 2001, Christopher Cain wrote:
[snip]
> > Now, if you could just add a small random value to "expected" before you
> > drop into the "while > 0" loop to make it non-deterministic , please ...
> >
> > (just kidding ;-)
> >
>
> Don't laugh. That's what I had actually implemented after doing the +=
> 1024 thing, but I just hadn't saved it away.
>
> Craig
Oh ... hahaha ... I thought you'd think I was being a paranoid
crypto-weenie. I guess great minds just think alike ;-)
I do that editor thing all the time too. Mostly when I change something,
do a build, run it, then wonder why custom debug output didn't show up.
D'oh! =)
- Christopher
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 21 Aug 2001, Christopher Cain wrote:
>
>
> "Craig R. McClanahan" wrote:
> >
> > On Tue, 21 Aug 2001, Christopher Cain wrote:
> >
> > > "Pier P. Fumagalli" wrote:
> > > >
> > > > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> > > >
> > > > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > > > >> craigmcc 01/08/21 11:51:52
> > > > >>
> > > > >> Modified: catalina/src/share/org/apache/catalina/core
> > > > >> StandardServer.java
> > > > >> Log:
> > > > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > > > >> of memory" exception by sending a continuous stream of characters. Now,
> > > > >> Tomcat will only listen for enough characters to match or not-match the
> > > > >> required password, then it shuts the port.
> > > > >
> > > > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> > > >
> > > > Good point... :(
> > > >
> > > > Pier
> > >
> > > It is a good point. Might I suggest shutting it off at an arbitrary
> > > limit instead ... say, 100 characters?
> > >
> >
> > 100 is a little short for paranoid sysadmins that use a really long
> > password :-). But you'll get a kick out of what I did implement :-).
>
> Ahhh ... a padded limit ... I likes it, I likes it =)
>
> Now, if you could just add a small random value to "expected" before you
> drop into the "while > 0" loop to make it non-deterministic , please ...
>
> (just kidding ;-)
>
Don't laugh. That's what I had actually implemented after doing the +=
1024 thing, but I just hadn't saved it away.
> - Christopher
>
Craig
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
"Craig R. McClanahan" wrote:
>
> On Tue, 21 Aug 2001, Christopher Cain wrote:
>
> > "Pier P. Fumagalli" wrote:
> > >
> > > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> > >
> > > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > > >> craigmcc 01/08/21 11:51:52
> > > >>
> > > >> Modified: catalina/src/share/org/apache/catalina/core
> > > >> StandardServer.java
> > > >> Log:
> > > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > > >> of memory" exception by sending a continuous stream of characters. Now,
> > > >> Tomcat will only listen for enough characters to match or not-match the
> > > >> required password, then it shuts the port.
> > > >
> > > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> > >
> > > Good point... :(
> > >
> > > Pier
> >
> > It is a good point. Might I suggest shutting it off at an arbitrary
> > limit instead ... say, 100 characters?
> >
>
> 100 is a little short for paranoid sysadmins that use a really long
> password :-). But you'll get a kick out of what I did implement :-).
Ahhh ... a padded limit ... I likes it, I likes it =)
Now, if you could just add a small random value to "expected" before you
drop into the "while > 0" loop to make it non-deterministic , please ...
(just kidding ;-)
- Christopher
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 21 Aug 2001, Christopher Cain wrote:
> "Pier P. Fumagalli" wrote:
> >
> > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> >
> > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > >> craigmcc 01/08/21 11:51:52
> > >>
> > >> Modified: catalina/src/share/org/apache/catalina/core
> > >> StandardServer.java
> > >> Log:
> > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > >> of memory" exception by sending a continuous stream of characters. Now,
> > >> Tomcat will only listen for enough characters to match or not-match the
> > >> required password, then it shuts the port.
> > >
> > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> >
> > Good point... :(
> >
> > Pier
>
> It is a good point. Might I suggest shutting it off at an arbitrary
> limit instead ... say, 100 characters?
>
100 is a little short for paranoid sysadmins that use a really long
password :-). But you'll get a kick out of what I did implement :-).
> - Christopher
>
Craig
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
"Pier P. Fumagalli" wrote:
>
> Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> >> craigmcc 01/08/21 11:51:52
> >>
> >> Modified: catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >> Log:
> >> Fix for a DoS attack against the shutdown port, that could cause an "out
> >> of memory" exception by sending a continuous stream of characters. Now,
> >> Tomcat will only listen for enough characters to match or not-match the
> >> required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is. =-) -- justin
>
> Good point... :(
>
> Pier
It is a good point. Might I suggest shutting it off at an arbitrary
limit instead ... say, 100 characters?
- Christopher
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Carlos Gaston Alvarez <ga...@tournet.com.ar>.
forget it, I saw the other answers. Sorry.
----- Original Message -----
From: "Carlos Gaston Alvarez" <ga...@tournet.com.ar>
To: <to...@jakarta.apache.org>
Sent: Friday, August 24, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java
> Just a security issue.
> Confirm that you are not listening only the necessary characters to know
> that it doesnt match, that you are listening more. Because if you stop it
> just when you know it will not match a hacker can easyly guest with is the
> password. You should have a (big) min to listen before stopping it.
> Sorry is this mail is useless (most probably), just a thought.
>
> Chau,
>
> Gaston
>
>
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Carlos Gaston Alvarez <ga...@tournet.com.ar>.
Just a security issue.
Confirm that you are not listening only the necessary characters to know
that it doesnt match, that you are listening more. Because if you stop it
just when you know it will not match a hacker can easyly guest with is the
password. You should have a (big) min to listen before stopping it.
Sorry is this mail is useless (most probably), just a thought.
Chau,
Gaston
----- Original Message -----
From: "Pier P. Fumagalli" <pi...@betaversion.org>
To: <to...@jakarta.apache.org>
Sent: Tuesday, August 21, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java
> Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> >> craigmcc 01/08/21 11:51:52
> >>
> >> Modified: catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >> Log:
> >> Fix for a DoS attack against the shutdown port, that could cause an
"out
> >> of memory" exception by sending a continuous stream of characters.
Now,
> >> Tomcat will only listen for enough characters to match or not-match
the
> >> required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is. =-) -- justin
>
> Good point... :(
>
> Pier
>
Re: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core
StandardServer.java
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
>> craigmcc 01/08/21 11:51:52
>>
>> Modified: catalina/src/share/org/apache/catalina/core
>> StandardServer.java
>> Log:
>> Fix for a DoS attack against the shutdown port, that could cause an "out
>> of memory" exception by sending a continuous stream of characters. Now,
>> Tomcat will only listen for enough characters to match or not-match the
>> required password, then it shuts the port.
>
> Now I'll know exactly how long the shutdown password is. =-) -- justin
Good point... :(
Pier
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
Posted by Justin Erenkrantz <je...@ebuilt.com>.
On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> craigmcc 01/08/21 11:51:52
>
> Modified: catalina/src/share/org/apache/catalina/core
> StandardServer.java
> Log:
> Fix for a DoS attack against the shutdown port, that could cause an "out
> of memory" exception by sending a continuous stream of characters. Now,
> Tomcat will only listen for enough characters to match or not-match the
> required password, then it shuts the port.
Now I'll know exactly how long the shutdown password is. =-) -- justin