View | Details | Raw Unified | Return to bug 38859
Collapse All | Expand All

(-)jakarta-tomcat-connectors-1.2.15-src.orig/jk/native/common/jk_ajp_common.c (+16 lines)
Lines 1380-1385 static int ajp_process_callback(jk_msg_b Link Here
1380 
    case JK_AJP13_SEND_BODY_CHUNK:
 1380 
    case JK_AJP13_SEND_BODY_CHUNK:
1381 
        {
 1381 
        {
1382 
            unsigned int len = (unsigned int)jk_b_get_int(msg);
 1382 
            unsigned int len = (unsigned int)jk_b_get_int(msg);
1383 
            /*
1384 
             * Do a sanity check on len to prevent write reading beyond buffer
1385 
             * boundaries and thus revealing possible sensitive memory
1386 
             * contents to the client.
1387 
             * len cannot be larger than msg->len - 3 because the ajp message
1388 
             * contains the magic byte for JK_AJP13_SEND_BODY_CHUNK (1 byte)
1389 
             * and the length of the chunk (2 bytes). The remaining part of
1390 
             * the message is the chunk.
1391 
             */
1392 
            if (len > msg->len - 3) {
1393 
                jk_log(l, JK_LOG_ERROR,
1394 
                       "Chunk length too large. Length of AJP message is %i,"
1395 
                       " chunk length is %i.", msg->len, len);
1396 
                JK_TRACE_EXIT(l);
1397 
                return JK_INTERNAL_ERROR;
1398 
            }
1383 
            if (!r->write(r, msg->buf + msg->pos, len)) {
 1399 
            if (!r->write(r, msg->buf + msg->pos, len)) {
1384 
                jk_log(l, JK_LOG_INFO,
 1400 
                jk_log(l, JK_LOG_INFO,
1385 
                       "Connection aborted or network problems");
 1401 
                       "Connection aborted or network problems");

Return to bug 38859