File tomcat-9.0-CVE-2021-25122.patch of Package tomcat.27297
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
if (state == SocketState.UPGRADING) {
// Get the HTTP upgrade handler
UpgradeToken upgradeToken = processor.getUpgradeToken();
- // Retrieve leftover input
+ // Restore leftover input to the wrapper so the upgrade
+ // processor can process it.
ByteBuffer leftOverInput = processor.getLeftoverInput();
+ wrapper.unRead(leftOverInput);
if (upgradeToken == null) {
// Assume direct HTTP/2 connection
UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
@@ -880,7 +882,6 @@ public abstract class AbstractProtocol<S
release(processor);
// Create the upgrade processor
processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
- wrapper.unRead(leftOverInput);
// Associate with the processor with the connection
wrapper.setCurrentProcessor(processor);
} else {
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -174,6 +174,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ Additional fix for <bug>64830</bug> to address an edge case that could
+ trigger request corruption with h2c connections. (markt)
+ </fix>
+ <fix>
Reduce reflection use and remove AJP specific code in the Connector.
(remm/markt/fhanik)
</fix>