You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by 沉淀 <10...@qq.com.INVALID> on 2023/04/28 07:16:32 UTC

About StandardServer

I am reading the source code of tomcat, the version is 9.0.73.
I see such a piece of code in the `await()`&nbsp;method in the `StandardServer`&nbsp;class:
int expected = 1024; // Cut off to avoid DoS attack
while (expected < shutdown.length()) {
    if (random == null) {
        random = new Random();
    }
    expected += (random.nextInt() % 1024);
}
while (expected &gt; 0) {
    int ch = -1;
    try {
        ch = stream.read();
    } catch (IOException e) {
        log.warn(sm.getString("standardServer.accept.readError"), e);
        ch = -1;
    }
    // Control character or EOF (-1) terminates loop
    if (ch < 32 || ch == 127) {
        break;
    }
    command.append((char) ch);
    expected--;
}
Why doesn't the `expected`&nbsp;here directly make it equal to `shutdown.length`?
For example, the stream contains 1024 characters, `shutdown`&nbsp;is still its default value: SHUTDOWN, and it still needs to loop 1024 times in the second while loop.
Please answer my doubts, thank you


沉淀
1074264900@qq.com



&nbsp;

Re: About StandardServer

Posted by Mark Thomas <ma...@apache.org>.

On 28/04/2023 08:16, 沉淀 wrote:
> I am reading the source code of tomcat, the version is 9.0.73.
> I see such a piece of code in the `await()`&nbsp;method in the `StandardServer`&nbsp;class:
> int expected = 1024; // Cut off to avoid DoS attack
> while (expected < shutdown.length()) {
>      if (random == null) {
>          random = new Random();
>      }
>      expected += (random.nextInt() % 1024);
> }
> while (expected &gt; 0) {
>      int ch = -1;
>      try {
>          ch = stream.read();
>      } catch (IOException e) {
>          log.warn(sm.getString("standardServer.accept.readError"), e);
>          ch = -1;
>      }
>      // Control character or EOF (-1) terminates loop
>      if (ch < 32 || ch == 127) {
>          break;
>      }
>      command.append((char) ch);
>      expected--;
> }
> Why doesn't the `expected`&nbsp;here directly make it equal to `shutdown.length`?
> For example, the stream contains 1024 characters, `shutdown`&nbsp;is still its default value: SHUTDOWN, and it still needs to loop 1024 times in the second while loop.
> Please answer my doubts, thank you

Security.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org