File apache-tomcat-CVE-2011-3190.patch of Package tomcat6.import5619
Index: apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
--- apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpProcessor.java (revision 1162958)
+++ apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpProcessor.java (revision 1162959)
@@ -423,11 +423,13 @@
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
request.setStartTime(System.currentTimeMillis());
@@ -1061,6 +1063,11 @@
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
output.write(endMessageArray);
Index: apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
--- apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpAprProcessor.java (revision 1162958)
+++ apache-tomcat-6.0.32-src/java/org/apache/coyote/ajp/AjpAprProcessor.java (revision 1162959)
@@ -405,11 +405,13 @@
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
keptAlive = true;
@@ -1056,6 +1058,11 @@
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
flush();