DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10383>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10383 Specially crafted GET request causes the answering httpd process and the answering AJP13 processor to hang indefinitely ------- Additional Comments From [EMAIL PROTECTED] 2002-12-29 22:18 ------- Hi, meanwhile I found time (OK, quite a long time has passed between now and my original Bug Report :-), but I hoped someone would find a better solution.) to create a workaround patch that prevents a least the hanging of the answering httpd and the answering AJP13 processor (see also attachment): diff -Nru jakarta-tomcat-connectors-4.0.4-src.orig/jk/java/org/apache/ajp/tomcat4/Ajp13Processor.java jakarta-tomcat-connectors-4.0.4-src/jk/java/org/apache/ajp/tomcat4/Ajp13Processor.java --- jakarta-tomcat-connectors-4.0.4-src.orig/jk/java/org/apache/ajp/tomcat4/Ajp13Processor.java 2002-06-11 08:48:08.000000000 +0200 +++ jakarta-tomcat-connectors-4.0.4-src/jk/java/org/apache/ajp/tomcat4/Ajp13Processor.java 2002-12-29 14:33:56.000000000 +0100 @@ -468,7 +468,11 @@ logger.log("finished handling request."); } - } catch (Throwable e) { + } catch (IllegalArgumentException e) { + logger.log("process: invoke: IllegalArgumentException: " + e.getMessage() + ": closing socket"); + break; + } + catch (Throwable e) { logger.log("process: invoke", e); } The patch has been made against the tomcat connectors of 4.0.4 as in my original environment of the bug report, but I guess it fits also to the newer versions of 4.0.x or is easy to adjust to them. Ok, what are the effects of this patch: 1. The IllegalArgumentException caused by the wrong cookie will be caught, a short message without the full stack trace will be logged and the while loop starting in line 388 will be left in line 493. 2. Leaving the while loop in line 493 will cause the ajp13 object and thus the connection to mod_jk to be closed by the answering AJP13 processor. 3. mod_jk gets an error reading the reply from the AJP13 processor (see mod_jk.log excerpt below) because the socket has been closed by the AJP13 processor. Thus it tries to contact (via new TCP/IP connections) Tomcat two more times via the same worker to send the request. In a load balanced environment all other workers of the load balanced worker will be tried afterwards for three times. After that mod_jk gives up and Apache sends a code 500 (Internal server error) back to the client. Excerpt from mod_jk.log: [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (652)]: ajp_connection_tcp_get_message: Error - jk_tcp_socket_recvfull failed [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1013)]: Error reading reply [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1150)]: In jk_endpoint_t::service, ajp_get_reply failed in send loop 0 [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (652)]: ajp_connection_tcp_get_message: Error - jk_tcp_socket_recvfull failed [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1013)]: Error reading reply [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1150)]: In jk_endpoint_t::service, ajp_get_reply failed in send loop 1 [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (652)]: ajp_connection_tcp_get_message: Error - jk_tcp_socket_recvfull failed [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1013)]: Error reading reply [Sun Dec 29 17:17:07 2002] [jk_ajp_common.c (1150)]: In jk_endpoint_t::service, ajp_get_reply failed in send loop 2 [Sun Dec 29 17:17:07 2002] [jk_lb_worker.c (373)]: In jk_endpoint_t::service, No more workers left, can not submit the request [Sun Dec 29 17:17:07 2002] [jk_lb_worker.c (380)]: In jk_endpoint_t::service: NULL Parameters Excerpt from catalina_log: 2002-12-29 17:17:07 Ajp13Processor[7006][4] process: invoke: IllegalArgumentException: Cookie name domain is a reserved token: closing socket 2002-12-29 17:17:07 Ajp13Processor[7006][2] process: invoke: IllegalArgumentException: Cookie name domain is a reserved token: closing socket 2002-12-29 17:17:07 Ajp13Processor[7006][2] process: invoke: IllegalArgumentException: Cookie name domain is a reserved token: closing socket I know that this patch is far from optimal (at least because of the senseless reconnection tries of mod_jk), but it prevents at least the indefinite blocking of resources on Apache and Tomcat side. Thus it helps to prevent a denial of service attack using this bug. As the JK/AJP connector is deprecated and is not used any longer in the 4.1.x series, I guess this patch will not find its way in the CVS, but it may be helpful to people with the same problem who search for a quick and easy fix of this bug without upgrading. The patch has been tested within the following environments: OS: Linux SDK: 1.4.0_02 OS: Solaris 8 SDK: 1.4.0_02 Regards Rüdiger Plüm -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
