View | Details | Raw Unified | Return to bug 38859
Collapse All | Expand All

(-)jakarta-tomcat-connectors-1.2.15-src.orig/jk/native/common/jk_ajp_common.c (+16 lines)
Lines 1380-1385 static int ajp_process_callback(jk_msg_b Link Here
1380
    case JK_AJP13_SEND_BODY_CHUNK:
1380
    case JK_AJP13_SEND_BODY_CHUNK:
1381
        {
1381
        {
1382
            unsigned int len = (unsigned int)jk_b_get_int(msg);
1382
            unsigned int len = (unsigned int)jk_b_get_int(msg);
1383
            /*
1384
             * Do a sanity check on len to prevent write reading beyond buffer
1385
             * boundaries and thus revealing possible sensitive memory
1386
             * contents to the client.
1387
             * len cannot be larger than msg->len - 3 because the ajp message
1388
             * contains the magic byte for JK_AJP13_SEND_BODY_CHUNK (1 byte)
1389
             * and the length of the chunk (2 bytes). The remaining part of
1390
             * the message is the chunk.
1391
             */
1392
            if (len > msg->len - 3) {
1393
                jk_log(l, JK_LOG_ERROR,
1394
                       "Chunk length too large. Length of AJP message is %i,"
1395
                       " chunk length is %i.", msg->len, len);
1396
                JK_TRACE_EXIT(l);
1397
                return JK_INTERNAL_ERROR;
1398
            }
1383
            if (!r->write(r, msg->buf + msg->pos, len)) {
1399
            if (!r->write(r, msg->buf + msg->pos, len)) {
1384
                jk_log(l, JK_LOG_INFO,
1400
                jk_log(l, JK_LOG_INFO,
1385
                       "Connection aborted or network problems");
1401
                       "Connection aborted or network problems");

Return to bug 38859