← Back to branch summary

~ubuntu-branches/ubuntu/vivid/tomcat6/vivid

« back to all changes in this revision

Viewing changes to debian/patches/cve-2012-2733.patch

  • Committer: Package Import Robot
  • Author(s): Michael Gilbert
  • Date: 2012-11-17 23:15:03 UTC
  • Revision ID: package-import@ubuntu.com-20121117231503-8nq52dpbxybriwqd
Tags: 6.0.35-5+nmu1
http://bugs.debian.org/692440
* Non-maintainer upload.
* Fix multiple security issues (closes: #692440)
  - cve-2012-2733: denial-of-service by triggering out of memory error.
  - cve-2012-3439: multiple replay attack issues in digest authentication. 

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/cve-2012-2733.patch
 
1
--- trunk/java/org/apache/coyote/http11/InternalNioInputBuffer.java     2012/07/02 12:47:54     1356207
 
2
+++ trunk/java/org/apache/coyote/http11/InternalNioInputBuffer.java     2012/07/02 13:01:28     1356208
 
3
@@ -673,10 +673,6 @@
 
4
         
 
5
         do {
 
6
             status = parseHeader();
 
7
-        } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
 
8
-        if (status == HeaderParseStatus.DONE) {
 
9
-            parsingHeader = false;
 
10
-            end = pos;
 
11
             // Checking that
 
12
             // (1) Headers plus request line size does not exceed its limit
 
13
             // (2) There are enough bytes to avoid expanding the buffer when
 
14
@@ -685,11 +681,15 @@
 
15
             // limitation to enforce the meaning of headerBufferSize
 
16
             // From the way how buf is allocated and how blank lines are being
 
17
             // read, it should be enough to check (1) only.
 
18
-            if (end - skipBlankLinesBytes > headerBufferSize
 
19
-                    || buf.length - end < socketReadBufferSize) {
 
20
+            if (pos - skipBlankLinesBytes > headerBufferSize
 
21
+                    || buf.length - pos < socketReadBufferSize) {
 
22
                 throw new IllegalArgumentException(
 
23
                         sm.getString("iib.requestheadertoolarge.error"));
 
24
             }
 
25
+        } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS );
 
26
+        if (status == HeaderParseStatus.DONE) {
 
27
+            parsingHeader = false;
 
28
+            end = pos;
 
29
             return true;
 
30
         } else {
 
31
             return false;