This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 3085441 Fix NIO2 SSL edge cases
3085441 is described below
commit 3085441eda67b425a9a4aab9874c0d6d1a876a90
Author: remm <[email protected]>
AuthorDate: Tue Apr 2 12:05:29 2019 +0200
Fix NIO2 SSL edge cases
Not actually used, but good for robustness.
---
.../apache/tomcat/util/net/SecureNio2Channel.java | 38 +++++++++++++++++-----
webapps/docs/changelog.xml | 3 ++
2 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
index cb670ae..61ed253 100644
--- a/java/org/apache/tomcat/util/net/SecureNio2Channel.java
+++ b/java/org/apache/tomcat/util/net/SecureNio2Channel.java
@@ -942,7 +942,7 @@ public class SecureNio2Channel extends Nio2Channel {
getBufHandler().expand(
sslEngine.getSession().getApplicationBufferSize());
dst2 = getBufHandler().getReadBuffer();
- } else if (dst2 ==
getAppReadBufHandler().getByteBuffer()) {
+ } else if (getAppReadBufHandler() != null
&& dst2 == getAppReadBufHandler().getByteBuffer()) {
getAppReadBufHandler()
.expand(sslEngine.getSession().getApplicationBufferSize());
dst2 =
getAppReadBufHandler().getByteBuffer();
@@ -1028,7 +1028,7 @@ public class SecureNio2Channel extends Nio2Channel {
read += unwrap.bytesProduced();
if (useOverflow) {
// Remove the data read into the overflow
buffer
- read -= dsts2[dsts.length].position();
+ read -=
getBufHandler().getReadBuffer().position();
}
//perform any tasks if needed
if (unwrap.getHandshakeStatus() ==
HandshakeStatus.NEED_TASK)
@@ -1052,20 +1052,42 @@ public class SecureNio2Channel extends Nio2Channel {
//in the constructor
ByteBuffer readBuffer =
getBufHandler().getReadBuffer();
boolean found = false;
- for (ByteBuffer buffer : dsts2) {
- if (buffer == readBuffer) {
+ boolean resized = true;
+ for (int i = 0; i < length2; i++) {
+ // The SSL session has increased the
required buffer size
+ // since the buffer was created.
+ if (dsts[offset + i] ==
getBufHandler().getReadBuffer()) {
+
getBufHandler().expand(sslEngine.getSession().getApplicationBufferSize());
+ if (dsts[offset + i] ==
getBufHandler().getReadBuffer()) {
+ resized = false;
+ }
+ dsts[offset + i] =
getBufHandler().getReadBuffer();
+ found = true;
+ } else if (getAppReadBufHandler() != null
&& dsts[offset + i] == getAppReadBufHandler().getByteBuffer()) {
+
getAppReadBufHandler().expand(sslEngine.getSession().getApplicationBufferSize());
+ if (dsts[offset + i] ==
getAppReadBufHandler().getByteBuffer()) {
+ resized = false;
+ }
+ dsts[offset + i] =
getAppReadBufHandler().getByteBuffer();
found = true;
}
}
if (found) {
- throw new
IOException(sm.getString("channel.nio.ssl.unwrapFail", unwrap.getStatus()));
+ if (!resized) {
+ throw new
IOException(sm.getString("channel.nio.ssl.unwrapFail", unwrap.getStatus()));
+ }
} else {
// Add the main read buffer in the
destinations and try again
dsts2 = new ByteBuffer[dsts.length + 1];
- for (int i = 0; i < dsts.length; i++) {
- dsts2[i] = dsts[i];
+ int dstOffset = 0;
+ for (int i = 0; i < dsts.length + 1; i++) {
+ if (i == offset + length) {
+ dsts2[i] = readBuffer;
+ dstOffset = -1;
+ } else {
+ dsts2[i] = dsts[i + dstOffset];
+ }
}
- dsts2[dsts.length] = readBuffer;
length2 = length + 1;
getBufHandler().configureReadBufferForWrite();
processOverflow = true;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 05c0aba..a327e90 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,9 @@
that prevented the use of PKCS#8 private keys with OpenSSL based
connectors. (markt)
</fix>
+ <fix>
+ Fix NIO2 SSL edge cases. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
