Detect incomplete AJP messages and reject the associated request if one is found

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)
diff --git a/java/org/apache/coyote/ajp/AjpMessage.java b/java/org/apache/coyote/ajp/AjpMessage.java

index 448969f..08dbfca 100644 (file)
--- a/java/org/apache/coyote/ajp/AjpMessage.java
+++ b/java/org/apache/coyote/ajp/AjpMessage.java
@@ -291,11 +291,13 @@ public class AjpMessage {
      public int getInt() {
          int b1 = buf[pos++] & 0xFF;
          int b2 = buf[pos++] & 0xFF;
+        validatePos(pos);
          return (b1<<8) + b2;
      }
  
  
      public int peekInt() {
+        validatePos(pos + 2);
          int b1 = buf[pos] & 0xFF;
          int b2 = buf[pos+1] & 0xFF;
          return (b1<<8) + b2;
@@ -304,6 +306,7 @@ public class AjpMessage {
      
      public byte getByte() {
          byte res = buf[pos++];
+        validatePos(pos);
          return res;
      }
  
@@ -314,6 +317,7 @@ public class AjpMessage {
              mb.recycle();
              return;
          }
+        validatePos(pos + length + 1);
          mb.setBytes(buf, pos, length);
          mb.getCharChunk().recycle(); // not valid anymore
          pos += length;
@@ -335,6 +339,7 @@ public class AjpMessage {
          b1 |= (buf[pos++] & 0xFF);
          b1 <<=8;
          b1 |= (buf[pos++] & 0xFF);
+        validatePos(pos);
          return  b1;
      }
  
@@ -389,6 +394,13 @@ public class AjpMessage {
      }
  
  
+    private void validatePos(int posToTest) {
+        if (posToTest > len + 4) {
+            // Trying to read data beyond the end of the AJP message 
+            throw new ArrayIndexOutOfBoundsException(sm.getString(
+                    "ajpMessage.invalidPos", Integer.valueOf(pos)));
+        }
+    }
      // ------------------------------------------------------ Protected Methods
  
  
diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties

index 0e42906..f1b5b66 100644 (file)
--- a/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -46,4 +46,5 @@ ajpmessage.overflow=Overflow error for buffer adding {0} bytes at position {1}
  ajpmessage.read=Requested {0} bytes exceeds message available data
  ajpmessage.invalid=Invalid message received with signature {0}
  ajpmessage.invalidLength=Invalid message received with length {0}
+ajpMessage.invalidPos=Requested read of bytes at position [{0}] which is beyond then end of the AJP message
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Thu, 25 Aug 2011 10:38:32 +0000 (10:38 +0000)
java/org/apache/coyote/ajp/AjpMessage.java		patch \| blob \| history
java/org/apache/coyote/ajp/LocalStrings.properties		patch \| blob \| history