You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ga...@apache.org on 2012/11/12 17:05:24 UTC
svn commit: r1408341 -
/geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java
Author: gawor
Date: Mon Nov 12 16:05:22 2012
New Revision: 1408341
URL: http://svn.apache.org/viewvc?rev=1408341&view=rev
Log:
GERONIMO-6404: Applied patch for CVE-2012-2733
Modified:
geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java
Modified: geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java
URL: http://svn.apache.org/viewvc/geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java?rev=1408341&r1=1408340&r2=1408341&view=diff
==============================================================================
--- geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java (original)
+++ geronimo/external/trunk/tomcat-parent-7.0.27/catalina/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java Mon Nov 12 16:05:22 2012
@@ -478,10 +478,6 @@ public class InternalNioInputBuffer exte
do {
status = parseHeader();
- } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
- if (status == HeaderParseStatus.DONE) {
- parsingHeader = false;
- end = pos;
// Checking that
// (1) Headers plus request line size does not exceed its limit
// (2) There are enough bytes to avoid expanding the buffer when
@@ -490,11 +486,15 @@ public class InternalNioInputBuffer exte
// limitation to enforce the meaning of headerBufferSize
// From the way how buf is allocated and how blank lines are being
// read, it should be enough to check (1) only.
- if (end - skipBlankLinesBytes > headerBufferSize
- || buf.length - end < socketReadBufferSize) {
+ if (pos - skipBlankLinesBytes > headerBufferSize
+ || buf.length - pos < socketReadBufferSize) {
throw new IllegalArgumentException(
sm.getString("iib.requestheadertoolarge.error"));
}
+ } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
+ if (status == HeaderParseStatus.DONE) {
+ parsingHeader = false;
+ end = pos;
return true;
} else {
return false;