38859 – mod_jk reads beyond buffer boundaries if length of chunk too long in send_body_chunk message

Bug 38859 - mod_jk reads beyond buffer boundaries if length of chunk too long in send_body_chunk message

Summary: mod_jk reads beyond buffer boundaries if length of chunk too long in send_bod...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat Connectors
Classification:	Unclassified
Component:	Common (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2006-03-05 17:09 UTC by Ruediger Pluem
Modified:	2014-02-17 13:50 UTC (History)
CC List:	0 users

Attachments
Patch against mod_jk 1.2.15 (1.50 KB, patch) 2006-03-05 17:10 UTC, Ruediger Pluem	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ruediger Pluem 2006-03-05 17:09:49 UTC

The AJP connector of Tomcat 5.5.15 contained a bug that sometimes set a too
long length for the chunks delivered by send_body_chunks AJP messages. This
is fixed meanwhile by http://svn.apache.org/viewcvs.cgi?rev=381505&view=rev.

A bug of this type can cause mod_jk to read beyond buffer boundaries and thus
reveal sensitive memory information to a client. The attached patch against
mod_jk 1.2.15 adds a sanity check to prevent mod_jk from reading beyond
buffer boundaries in such cases. This protects mod_jk against buggy or
malicious AJP servers in the backend.

Comment 1 Ruediger Pluem 2006-03-05 17:10:56 UTC

Created attachment 17837 [details]
Patch against mod_jk 1.2.15

Comment 2 Mladen Turk 2006-03-16 08:18:26 UTC

Commited.
Thanks!