Overview

File tomcat-9.0-CVE-2020-13934.patch of Package tomcat.23710

From 172977f04a5215128f1e278a688983dcd230f399 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Fri, 26 Jun 2020 12:49:50 +0100
Subject: [PATCH] Ensure HTTP/1.1 processor is recycled after a direct h2c
 connection

---
 java/org/apache/coyote/AbstractProtocol.java | 9 ++++++---
 webapps/docs/changelog.xml                   | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)

Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
@@ -876,8 +876,10 @@ public abstract class AbstractProtocol<S
                             // Assume direct HTTP/2 connection
                             UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
                             if (upgradeProtocol != null) {
-                                processor = upgradeProtocol.getProcessor(
-                                        wrapper, getProtocol().getAdapter());
+                                // Release the Http11 processor to be re-used
+                                release(processor);
+                                // Create the upgrade processor
+                                processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
                                 wrapper.unRead(leftOverInput);
                                 // Associate with the processor with the connection
                                 wrapper.setCurrentProcessor(processor);
@@ -887,7 +889,8 @@ public abstract class AbstractProtocol<S
                                         "abstractConnectionHandler.negotiatedProcessor.fail",
                                         "h2c"));
                                 }
-                                return SocketState.CLOSED;
+                                // Exit loop and trigger appropriate clean-up
+                                state = SocketState.CLOSED;
                             }
                         } else {
                             HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler();
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -104,6 +104,10 @@
         <bug>64485</bug>: Fix possible resource leak geting last modified from
         <code>ConfigurationSource.Resource</code>. (remm)
       </fix>
+      <fix>
+        Ensure that the HTTP/1.1 processor is correctly recycled when a direct
+        connection to h2c is made. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
openSUSE Build Service is sponsored by
Places