From 465826cd1e61a5ef976b3ea7c857052e092cc08c Mon Sep 17 00:00:00 2001
From: mturk <mturk@13f79535-47bb-0310-9956-ffa450edef68>
Date: Thu, 18 Feb 2010 16:44:57 +0000
Subject: [PATCH] Make sure we favor the values from AjpMessage.processHeader.
 If the signature is invalid len can be any random number in that case

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@911481 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/coyote/ajp/AjpAprProcessor.java | 26 ++++++++++++++++-------
 java/org/apache/coyote/ajp/AjpProcessor.java    | 28 ++++++++++++++++++-------
 2 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java
index 5910ea936..c51d4c4e5 100644
--- a/java/org/apache/coyote/ajp/AjpAprProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpAprProcessor.java
@@ -1112,8 +1112,10 @@ public class AjpAprProcessor implements ActionHook {
 
         first = false;
         bodyMessage.reset();
-        readMessage(bodyMessage, false, false);
-
+        if (!readMessage(bodyMessage, false, false)) {
+            // Invalid message
+            return false;
+        }
         // No data received.
         if (bodyMessage.getLen() == 0) {
             // just the header
@@ -1182,11 +1184,21 @@ public class AjpAprProcessor implements ActionHook {
             read(headerLength);
         }
         inputBuffer.get(message.getBuffer(), 0, headerLength);
-        message.processHeader();
-        read(message.getLen());
-        inputBuffer.get(message.getBuffer(), headerLength, message.getLen());
-
-        return true;
+        int messageLength = message.processHeader();
+        if (messageLength < 0) {
+            // Invalid AJP header signature
+            // TODO: Throw some exception and close the connection to frontend.
+            return false;
+        }
+        else if (messageLength == 0) {
+            // Zero length message.
+            return true;
+        }
+        else {
+            read(messageLength);
+            inputBuffer.get(message.getBuffer(), headerLength, messageLength);
+            return true;
+        }
 
     }
 
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index c4a7f654d..7d63fdcf2 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -1062,8 +1062,10 @@ public class AjpProcessor implements ActionHook {
 
         first = false;
         bodyMessage.reset();
-        readMessage(bodyMessage);
-
+        if (!readMessage(bodyMessage)) {
+            // Invalid message
+            return false;
+        }
         // No data received.
         if (bodyMessage.getLen() == 0) {
             // just the header
@@ -1119,14 +1121,24 @@ public class AjpProcessor implements ActionHook {
         throws IOException {
 
         byte[] buf = message.getBuffer();
+        int headerLength = message.getHeaderLength();
 
-        read(buf, 0, message.getHeaderLength());
-
-        message.processHeader();
-        read(buf, message.getHeaderLength(), message.getLen());
-
-        return true;
+        read(buf, 0, headerLength);
 
+        int messageLength = message.processHeader();
+        if (messageLength < 0) {
+            // Invalid AJP header signature
+            // TODO: Throw some exception and close the connection to frontend.
+            return false;
+        }
+        else if (messageLength == 0) {
+            // Zero length message.
+            return true;
+        }
+        else {
+            read(buf, headerLength, messageLength);
+            return true;
+        }
     }
 
 
-- 
2.11.0