Lines 1380-1385
static int ajp_process_callback(jk_msg_b
Link Here
|
1380 |
case JK_AJP13_SEND_BODY_CHUNK: |
1380 |
case JK_AJP13_SEND_BODY_CHUNK: |
1381 |
{ |
1381 |
{ |
1382 |
unsigned int len = (unsigned int)jk_b_get_int(msg); |
1382 |
unsigned int len = (unsigned int)jk_b_get_int(msg); |
|
|
1383 |
/* |
1384 |
* Do a sanity check on len to prevent write reading beyond buffer |
1385 |
* boundaries and thus revealing possible sensitive memory |
1386 |
* contents to the client. |
1387 |
* len cannot be larger than msg->len - 3 because the ajp message |
1388 |
* contains the magic byte for JK_AJP13_SEND_BODY_CHUNK (1 byte) |
1389 |
* and the length of the chunk (2 bytes). The remaining part of |
1390 |
* the message is the chunk. |
1391 |
*/ |
1392 |
if (len > msg->len - 3) { |
1393 |
jk_log(l, JK_LOG_ERROR, |
1394 |
"Chunk length too large. Length of AJP message is %i," |
1395 |
" chunk length is %i.", msg->len, len); |
1396 |
JK_TRACE_EXIT(l); |
1397 |
return JK_INTERNAL_ERROR; |
1398 |
} |
1383 |
if (!r->write(r, msg->buf + msg->pos, len)) { |
1399 |
if (!r->write(r, msg->buf + msg->pos, len)) { |
1384 |
jk_log(l, JK_LOG_INFO, |
1400 |
jk_log(l, JK_LOG_INFO, |
1385 |
"Connection aborted or network problems"); |
1401 |
"Connection aborted or network problems"); |