Make sure we favor the values from AjpMessage.processHeader. If the signature is...

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@911481 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java
index 5910ea9..c51d4c4 100644 (file)
--- a/java/org/apache/coyote/ajp/AjpAprProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpAprProcessor.java
@@ -1112,8 +1112,10 @@ public class AjpAprProcessor implements ActionHook {
 
         first = false;
         bodyMessage.reset();
-        readMessage(bodyMessage, false, false);
-
+        if (!readMessage(bodyMessage, false, false)) {
+            // Invalid message
+            return false;
+        }
         // No data received.
         if (bodyMessage.getLen() == 0) {
             // just the header
@@ -1182,11 +1184,21 @@ public class AjpAprProcessor implements ActionHook {
             read(headerLength);
         }
         inputBuffer.get(message.getBuffer(), 0, headerLength);
-        message.processHeader();
-        read(message.getLen());
-        inputBuffer.get(message.getBuffer(), headerLength, message.getLen());
-
-        return true;
+        int messageLength = message.processHeader();
+        if (messageLength < 0) {
+            // Invalid AJP header signature
+            // TODO: Throw some exception and close the connection to frontend.
+            return false;
+        }
+        else if (messageLength == 0) {
+            // Zero length message.
+            return true;
+        }
+        else {
+            read(messageLength);
+            inputBuffer.get(message.getBuffer(), headerLength, messageLength);
+            return true;
+        }
 
     }
 

diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index c4a7f65..7d63fdc 100644 (file)
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -1062,8 +1062,10 @@ public class AjpProcessor implements ActionHook {
 
         first = false;
         bodyMessage.reset();
-        readMessage(bodyMessage);
-
+        if (!readMessage(bodyMessage)) {
+            // Invalid message
+            return false;
+        }
         // No data received.
         if (bodyMessage.getLen() == 0) {
             // just the header
@@ -1119,14 +1121,24 @@ public class AjpProcessor implements ActionHook {
         throws IOException {
 
         byte[] buf = message.getBuffer();
+        int headerLength = message.getHeaderLength();
 
-        read(buf, 0, message.getHeaderLength());
-
-        message.processHeader();
-        read(buf, message.getHeaderLength(), message.getLen());
-
-        return true;
+        read(buf, 0, headerLength);
 
+        int messageLength = message.processHeader();
+        if (messageLength < 0) {
+            // Invalid AJP header signature
+            // TODO: Throw some exception and close the connection to frontend.
+            return false;
+        }
+        else if (messageLength == 0) {
+            // Zero length message.
+            return true;
+        }
+        else {
+            read(buf, headerLength, messageLength);
+            return true;
+        }
     }