You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Tyson Lowery <ty...@gmail.com> on 2010/11/16 19:26:33 UTC

Buffer Overflow

I'm running Tomcat 6.0.29

I'm seeing this in my catalina.out log file.  I've been able to narrow 
the problem to a single JSP page, and the problem only happens with a 
single user when that user is using Windows XP/FireFox 3.6.12.   I've 
tested the page with XP/Firefox 3.6.3 and can't reproduce the issue.   
The JSP page reads and writes custom cookies.

Any ideas on what might be happening, or on how to get more information 
(like what is actually in the header)?

Nov 15, 2010 11:48:00 PM org.apache.jk.common.MsgAjp cpBytes
SEVERE: Buffer overflow: buffer.len=8192 pos=8190 data=103
Nov 15, 2010 11:48:00 PM org.apache.jk.common.MsgAjp cpBytes
SEVERE: Overflow
java.lang.Throwable
         at org.apache.jk.common.MsgAjp.cpBytes(MsgAjp.java:196)
         at org.apache.jk.common.MsgAjp.appendByteChunk(MsgAjp.java:170)
         at org.apache.jk.common.MsgAjp.appendBytes(MsgAjp.java:155)
         at 
org.apache.jk.common.JkInputStream.appendHead(JkInputStream.java:324)
         at org.apache.jk.core.MsgContext.action(MsgContext.java:266)
         at org.apache.coyote.Response.action(Response.java:183)
         at org.apache.coyote.Response.sendHeaders(Response.java:379)
         at 
org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305)
         at 
org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:273)
         at 
org.apache.catalina.connector.Response.finishResponse(Response.java:493)
         at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:322)
         at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
         at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
         at 
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
         at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
         at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
         at java.lang.Thread.run(Thread.java:619)
Nov 15, 2010 11:48:00 PM org.apache.catalina.connector.CoyoteAdapter 
service
SEVERE: An exception or error occurred in the container during the 
request processing
java.lang.ArrayIndexOutOfBoundsException
Nov 15, 2010 11:48:00 PM org.apache.jk.common.MsgAjp cpBytes
SEVERE: Buffer overflow: buffer.len=8192 pos=8190 data=103
Nov 15, 2010 11:48:00 PM org.apache.jk.common.MsgAjp cpBytes
SEVERE: Overflow
java.lang.Throwable
         at org.apache.jk.common.MsgAjp.cpBytes(MsgAjp.java:196)
         at org.apache.jk.common.MsgAjp.appendByteChunk(MsgAjp.java:170)
         at org.apache.jk.common.MsgAjp.appendBytes(MsgAjp.java:155)
         at 
org.apache.jk.common.JkInputStream.appendHead(JkInputStream.java:324)
         at org.apache.jk.core.MsgContext.action(MsgContext.java:266)
         at org.apache.jk.core.MsgContext.action(MsgContext.java:302)
         at org.apache.coyote.Response.action(Response.java:183)
         at org.apache.coyote.Response.finish(Response.java:305)
         at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:195)
         at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
         at 
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
         at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
         at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
         at java.lang.Thread.run(Thread.java:619)
Nov 15, 2010 11:48:00 PM org.apache.jk.common.ChannelSocket 
processConnection
SEVERE: Error, processing connection
java.lang.ArrayIndexOutOfBoundsException

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Buffer Overflow

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tyson,

First, let me say that I know almost nothing about the AJP protocol, but
reading-through the code from the inside out has triggered a memory. See
below.

On 11/16/2010 1:26 PM, Tyson Lowery wrote:
> I'm running Tomcat 6.0.29

Thanks!

> I'm seeing this in my catalina.out log file.  I've been able to narrow
> the problem to a single JSP page, and the problem only happens with a
> single user when that user is using Windows XP/FireFox 3.6.12.   I've
> tested the page with XP/Firefox 3.6.3 and can't reproduce the issue.  
> The JSP page reads and writes custom cookies.

Can you give us some examples? Is it possible that you are generating
very large cookie names and/or values?

> Any ideas on what might be happening, or on how to get more information
> (like what is actually in the header)?

You ought to be able to configure the logger to emit messages for the
org.apache.jk package tree. It looks like the code is generating debug
messages if the logging system is configured to capture them.

> Nov 15, 2010 11:48:00 PM org.apache.jk.common.MsgAjp cpBytes
> SEVERE: Buffer overflow: buffer.len=8192 pos=8190 data=103

8192 is the default packetSize option for the AJP <Connector>. It
appears that you are trying to shove more data into a single packet than
is possible.

It's not your fault. Well, sort-of, but not really. Your code is
probably fine.

I believe that either the AJP protocol or Tomcat's implementation of it
requires that all of the HTTP headers fit into the first AJP packet sent
back to the web server. So, if you have more than 8192 bytes of headers
to send back to the web server, you'll get this error. That's what I
asked about the large cookie values. It also happens when you use SSL
with proxied certificate chains which can eat up a lot of space, too.

Anyhow, there is good news: you can change the default packetSize like this:

<Connector ... packetSize="16384" />

MAKE SURE YOU SET THE max_packet_size IN mod_jk TO BE THE SAME VALUE,
otherwise everything will go to hell. You can go up to 65536 bytes for
the packet size if you really need to. Note that larger packet sizes may
have a performance impact.

Another option would be to limit the total size of cookie information
you allow your custom JSP to emit. It's not foolproof (you can always
use some other header to reach this limit) but it might help if you are
not comfortable increasing the AJP packet size for some reason.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzjAYMACgkQ9CaO5/Lv0PAsLACdHmU8yeG26CeiFn8I7pBVXB6R
MBQAn1tUNC/aWasAKHuBhJ9EJAMQKonO
=pjT3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org