Bug 38859

Summary: mod_jk reads beyond buffer boundaries if length of chunk too long in send_body_chunk message
Product: Tomcat Connectors Reporter: Ruediger Pluem <rpluem>
Component: CommonAssignee: Tomcat Developers Mailing List <dev>
Severity: normal Keywords: PatchAvailable
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Attachments: Patch against mod_jk 1.2.15

Description Ruediger Pluem 2006-03-05 17:09:49 UTC
The AJP connector of Tomcat 5.5.15 contained a bug that sometimes set a too
long length for the chunks delivered by send_body_chunks AJP messages. This
is fixed meanwhile by http://svn.apache.org/viewcvs.cgi?rev=381505&view=rev.

A bug of this type can cause mod_jk to read beyond buffer boundaries and thus
reveal sensitive memory information to a client. The attached patch against
mod_jk 1.2.15 adds a sanity check to prevent mod_jk from reading beyond
buffer boundaries in such cases. This protects mod_jk against buggy or
malicious AJP servers in the backend.
Comment 1 Ruediger Pluem 2006-03-05 17:10:56 UTC
Created attachment 17837 [details]
Patch against mod_jk 1.2.15
Comment 2 Mladen Turk 2006-03-16 08:18:26 UTC