Bug 38859 - mod_jk reads beyond buffer boundaries if length of chunk too long in send_body_chunk message
Summary: mod_jk reads beyond buffer boundaries if length of chunk too long in send_bod...
Alias: None
Product: Tomcat Connectors
Classification: Unclassified
Component: Common (show other bugs)
Version: unspecified
Hardware: Other All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2006-03-05 17:09 UTC by Ruediger Pluem
Modified: 2014-02-17 13:50 UTC (History)
0 users

Patch against mod_jk 1.2.15 (1.50 KB, patch)
2006-03-05 17:10 UTC, Ruediger Pluem
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ruediger Pluem 2006-03-05 17:09:49 UTC
The AJP connector of Tomcat 5.5.15 contained a bug that sometimes set a too
long length for the chunks delivered by send_body_chunks AJP messages. This
is fixed meanwhile by http://svn.apache.org/viewcvs.cgi?rev=381505&view=rev.

A bug of this type can cause mod_jk to read beyond buffer boundaries and thus
reveal sensitive memory information to a client. The attached patch against
mod_jk 1.2.15 adds a sanity check to prevent mod_jk from reading beyond
buffer boundaries in such cases. This protects mod_jk against buggy or
malicious AJP servers in the backend.
Comment 1 Ruediger Pluem 2006-03-05 17:10:56 UTC
Created attachment 17837 [details]
Patch against mod_jk 1.2.15
Comment 2 Mladen Turk 2006-03-16 08:18:26 UTC