You are viewing a plain text version of this content. The canonical link for it is here.

Posted to scm@geronimo.apache.org by ga...@apache.org on 2012/11/12 17:05:24 UTC

svn commit: r1408341 - /geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java

Author: gawor
Date: Mon Nov 12 16:05:22 2012
New Revision: 1408341

URL: http://svn.apache.org/viewvc?rev=1408341&view=rev
Log:
GERONIMO-6404: Applied patch for CVE-2012-2733

Modified:
    geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java

Modified: geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java?rev=1408341&r1=1408340&r2=1408341&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java Mon Nov 12 16:05:22 2012
@@ -478,10 +478,6 @@ public class InternalNioInputBuffer exte
         
         do {
             status = parseHeader();
-        } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
-        if (status == HeaderParseStatus.DONE) {
-            parsingHeader = false;
-            end = pos;
             // Checking that
             // (1) Headers plus request line size does not exceed its limit
             // (2) There are enough bytes to avoid expanding the buffer when
@@ -490,11 +486,15 @@ public class InternalNioInputBuffer exte
             // limitation to enforce the meaning of headerBufferSize
             // From the way how buf is allocated and how blank lines are being
             // read, it should be enough to check (1) only.
-            if (end - skipBlankLinesBytes > headerBufferSize
-                    || buf.length - end < socketReadBufferSize) {
+            if (pos - skipBlankLinesBytes > headerBufferSize
+                    || buf.length - pos < socketReadBufferSize) {
                 throw new IllegalArgumentException(
                         sm.getString("iib.requestheadertoolarge.error"));
             }
+        } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
+        if (status == HeaderParseStatus.DONE) {
+            parsingHeader = false;
+            end = pos;
             return true;
         } else {
             return false;