You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mt...@apache.org on 2006/03/16 09:18:05 UTC
svn commit: r386285 - in /tomcat/connectors/trunk/jk:
native/common/jk_ajp_common.c xdocs/changelog.xml
Author: mturk
Date: Thu Mar 16 00:18:04 2006
New Revision: 386285
URL: http://svn.apache.org/viewcvs?rev=386285&view=rev
Log:
Fix #38859 by protect mod_jk against buggy or
malicious AJP servers in the backend.
Patch provided by Ruediger Pluem.
Modified:
tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c
tomcat/connectors/trunk/jk/xdocs/changelog.xml
Modified: tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c
URL: http://svn.apache.org/viewcvs/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?rev=386285&r1=386284&r2=386285&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c Thu Mar 16 00:18:04 2006
@@ -1380,6 +1380,22 @@
case JK_AJP13_SEND_BODY_CHUNK:
{
unsigned int len = (unsigned int)jk_b_get_int(msg);
+ /*
+ * Do a sanity check on len to prevent write reading beyond buffer
+ * boundaries and thus revealing possible sensitive memory
+ * contents to the client.
+ * len cannot be larger than msg->len - 3 because the ajp message
+ * contains the magic byte for JK_AJP13_SEND_BODY_CHUNK (1 byte)
+ * and the length of the chunk (2 bytes). The remaining part of
+ * the message is the chunk.
+ */
+ if (len > msg->len - 3) {
+ jk_log(l, JK_LOG_ERROR,
+ "Chunk length too large. Length of AJP message is %i,"
+ " chunk length is %i.", msg->len, len);
+ JK_TRACE_EXIT(l);
+ return JK_INTERNAL_ERROR;
+ }
if (!r->write(r, msg->buf + msg->pos, len)) {
jk_log(l, JK_LOG_INFO,
"Connection aborted or network problems");
@@ -2065,7 +2081,7 @@
*e = NULL;
/* set last_access only if needed */
if (w->cache_timeout > 0 || w->recycle_timeout > 0)
- p->last_access = time(NULL);
+ p->last_access = time(NULL);
JK_LEAVE_CS(&w->cs, rc);
if (sock >= 0)
jk_shutdown_socket(sock);
@@ -2137,7 +2153,7 @@
else {
jk_log(l, JK_LOG_WARNING,
"Unable to get the free endpoint for worker %s from %d slots",
- aw->name, aw->ep_cache_sz);
+ aw->name, aw->ep_cache_sz);
}
JK_LEAVE_CS(&aw->cs, rc);
}
Modified: tomcat/connectors/trunk/jk/xdocs/changelog.xml
URL: http://svn.apache.org/viewcvs/tomcat/connectors/trunk/jk/xdocs/changelog.xml?rev=386285&r1=386284&r2=386285&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/changelog.xml Thu Mar 16 00:18:04 2006
@@ -26,6 +26,10 @@
<subsection name="Native">
<changelog>
<fix>
+ <bug>38859</bug>: Protect mod_jk against buggy or malicious
+ AJP servers in the backend. Patch provided by Ruediger Pluem. (mturk)
+ </fix>
+ <fix>
<bug>38889</bug>: Use worker map sorting depending on the path
elements, to comply with Servlet spec. Patch provided by
Steve Revilak. (mturk)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org