https://issues.apache.org/bugzilla/show_bug.cgi?id=48719
Summary: [BUG] mod_proxy_ajp return wrong error message when
client cookie is very big
Product: Apache httpd-2
Version: 2.2.4
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_ajp
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=24959)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24959)
test jsp page
1 error in apache-mod_proxy_ajp
1.1 In apache-mod_proxy_ajp-tomcat connection,
when jsp page on tomcat trys to create a very big cookie(about 8000B) to user
explorer, (or just try to read a very big cookie from user explorer),
error occurs.
With the size of cookie changed,
the following error log generated(in apache/logs/error_log):
--
[Tue Feb 09 14:02:40 2010] [error] ajp_msg_get_string():
BufferOverflowException 8188 8192
[Tue Feb 09 14:02:40 2010] [error] ajp_unmarshal_response: Null header name
[Tue Feb 09 14:02:40 2010] [error] (120001)APR does not understand this
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)
--
[Tue Feb 09 12:37:22 2010] [error] ajp_check_msg_header() incoming message
is too big 8196, max is 8192
[Tue Feb 09 12:37:22 2010] [error] ajp_ilink_receive() received bad header
[Tue Feb 09 12:37:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 12:37:22 2010] [error] (120007)APR does not understand this
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)
--
[Tue Feb 09 13:42:22 2010] [error] (70014)End of file found:
ajp_ilink_receive() can't receive header
[Tue Feb 09 13:42:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 13:42:22 2010] [error] (120006)APR does not understand this
error code: proxy: read response failed from 172.28.14.243:8009
(172.28.14.243)
And with the size of cookie changed,different error message
return to user explorer.
But not describe the truly reason (cookie or url or just ajp_header are out of
limit).
1.2 source check
1.2.1 base source
+ Apache 2.2.4 mod_proxy_ajp
+ Tomcat 5.5.23 connectors/ajp
1.2.2 source extraction
--SEND (apache_tomcat_ajp)--
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_msg.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_link.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_header.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/include/ajp_header.h
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/proxy_ajp.c
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/mod_proxy.c
ap_proxy_ajp_request(){
... ...
ajp_send_header();
... ...
}
ajp_send_header(){
... ...
ajp_msg_create();
ajp_malshal_to_msgb();
ajp_ilink_send();
... ...
}
ajp_msg_create(){
... ...
msg->len=0;
msg->header_len=4;
... ...
}
ajp_malshal_to_msgb(){
... ...
ajp_msg_append_*(); // msg->len += 1/2/4/...
}
ajp_ilink_send(){
... ...
ajp_msg_end();
... ...
}
ajp_msg_append_uint8(){
if((msg->len + 1) >= 8KB) // <== ERROR: msg->len + 4
(msg->header_len) + 1 >= 8KB
// <== fine process for too big error
}
ajp_msg_end(){
... ...
// write prefix 2 bytes to buf[0-1]
... ...
// write len (msg->len - 4) 2 bytes to buf[2-3]
len = msg->len - 4; // <== ERROR: msg->len used as save buf used
length
... ...
}
--RECEIVE(apache_mod_proxy_ajp)--
//httpd-2.2.4/modules/proxy/apj_msg.c
ajp_msg_chech_heaher(){
... ...
// get msglen from buf
if(msglen > 8KB){ // <== ERROR: msglen used as save buf used length
// output: [Wed Dec 30 14:17:43 2009] [error] ajp_check_msg_header()
incoming message is too big 8196, max is 8192
// this message should nerver appear
}
... ...
}
1.3 wrong use of len(in struct ajp_msg)/header_len/msglen(in ajp_header buf).
It seems that these three value has different meaning in describe the
ajp_header. But in two places, it was used in different meaning.
So that when the ajp_header size reached about AJP_MSG_BUFFER_SZ,
error occurs in many places.
2 For many applications' necessory,
we suggest the value of AJP_MSG_BUFFER_SZ up to 16KB.
This value should be a good balance between performance and availability.
3 wrong function name in log output.
apache/modules/proxy/ajp_msg.c:
line: 102 function name error.
line: 113 function name error.
4 test jsp page (in attachment)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
