Author: mturk Date: Thu Mar 16 00:18:04 2006 New Revision: 386285 URL: http://svn.apache.org/viewcvs?rev=386285&view=rev Log: Fix #38859 by protect mod_jk against buggy or malicious AJP servers in the backend. Patch provided by Ruediger Pluem.
Modified: tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c tomcat/connectors/trunk/jk/xdocs/changelog.xml Modified: tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c URL: http://svn.apache.org/viewcvs/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?rev=386285&r1=386284&r2=386285&view=diff ============================================================================== --- tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c (original) +++ tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c Thu Mar 16 00:18:04 2006 @@ -1380,6 +1380,22 @@ case JK_AJP13_SEND_BODY_CHUNK: { unsigned int len = (unsigned int)jk_b_get_int(msg); + /* + * Do a sanity check on len to prevent write reading beyond buffer + * boundaries and thus revealing possible sensitive memory + * contents to the client. + * len cannot be larger than msg->len - 3 because the ajp message + * contains the magic byte for JK_AJP13_SEND_BODY_CHUNK (1 byte) + * and the length of the chunk (2 bytes). The remaining part of + * the message is the chunk. + */ + if (len > msg->len - 3) { + jk_log(l, JK_LOG_ERROR, + "Chunk length too large. Length of AJP message is %i," + " chunk length is %i.", msg->len, len); + JK_TRACE_EXIT(l); + return JK_INTERNAL_ERROR; + } if (!r->write(r, msg->buf + msg->pos, len)) { jk_log(l, JK_LOG_INFO, "Connection aborted or network problems"); @@ -2065,7 +2081,7 @@ *e = NULL; /* set last_access only if needed */ if (w->cache_timeout > 0 || w->recycle_timeout > 0) - p->last_access = time(NULL); + p->last_access = time(NULL); JK_LEAVE_CS(&w->cs, rc); if (sock >= 0) jk_shutdown_socket(sock); @@ -2137,7 +2153,7 @@ else { jk_log(l, JK_LOG_WARNING, "Unable to get the free endpoint for worker %s from %d slots", - aw->name, aw->ep_cache_sz); + aw->name, aw->ep_cache_sz); } JK_LEAVE_CS(&aw->cs, rc); } Modified: tomcat/connectors/trunk/jk/xdocs/changelog.xml URL: http://svn.apache.org/viewcvs/tomcat/connectors/trunk/jk/xdocs/changelog.xml?rev=386285&r1=386284&r2=386285&view=diff ============================================================================== --- tomcat/connectors/trunk/jk/xdocs/changelog.xml (original) +++ tomcat/connectors/trunk/jk/xdocs/changelog.xml Thu Mar 16 00:18:04 2006 @@ -26,6 +26,10 @@ <subsection name="Native"> <changelog> <fix> + <bug>38859</bug>: Protect mod_jk against buggy or malicious + AJP servers in the backend. Patch provided by Ruediger Pluem. (mturk) + </fix> + <fix> <bug>38889</bug>: Use worker map sorting depending on the path elements, to comply with Servlet spec. Patch provided by Steve Revilak. (mturk) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]