Bug 59089 - ArrayIndexOutOfBoundsException if header name contains byte values > 127
Summary: ArrayIndexOutOfBoundsException if header name contains byte values > 127
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.0.32
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-02-29 13:43 UTC by Michael Kaufmann
Modified: 2016-03-03 11:53 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kaufmann 2016-02-29 13:43:52 UTC
If a header name contains a byte value > 127, Tomcat 8 throws this exception:

29-Feb-2016 09:42:47.833 INFO [http-nio-8080-exec-3] org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
 java.lang.ArrayIndexOutOfBoundsException: -61
	at org.apache.coyote.http11.AbstractNioInputBuffer.parseHeader(AbstractNioInputBuffer.java:474)
	at org.apache.coyote.http11.AbstractNioInputBuffer.parseHeaders(AbstractNioInputBuffer.java:381)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1024)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

The corresponding source code is:

    } else if (!HTTP_TOKEN_CHAR[chr]) {
        // If a non-token header is detected, skip the line and
        // ignore the header
        headerData.lastSignificantChar = pos;
        return skipLine();

"chr" may be negative (-128 ... 127), so this is a possible bugfix:
    } else if (chr < 0 || !HTTP_TOKEN_CHAR[chr]) {

This bug is present in 3 source files:
- AbstractNioInputBuffer.java
- InternalAprInputBuffer.java
- InternalInputBuffer.java
Comment 1 Mark Thomas 2016-03-03 11:53:04 UTC
Thanks for the report. This has been fixed in trunk for 9.0.0.M4 onwards and 8.0.x for 8.0.33 onwards.

In 7.0.x and earlier the request is rejected with a 400 response.