Detect incomplete AJP messages


git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc5.5.x/trunk@1172317 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/STATUS.txt b/STATUS.txt
index c6a2f43..f12cb73 100644
--- a/STATUS.txt
+++ b/STATUS.txt
@@ -24,14 +24,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK/OTHER:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-* Detect incomplete AJP messages and reject the associated request if one is
-  found
-  http://people.apache.org/~markt/patches/2011-08-25-ajp-incomplete-msg-tc5.patch
-  +1: markt
-  +1: kkolinko, rjung: In AjpMessage#validatePos() s/"" + posToTest/String.valueOf(posToTest)/
-        +1 to mark AjpMessage#getBytes(byte[]) as /**@deprecated*/ - it is never used.
-  -1:
-
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
diff --git a/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java b/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
index 10ddf00..fa70319 100644
--- a/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
+++ b/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
@@ -1136,7 +1136,7 @@
             return false;
         }
 
-        bodyMessage.getBytes(bodyBytes);
+        bodyMessage.getBodyBytes(bodyBytes);
         empty = false;
         return true;
     }
diff --git a/connectors/jk/java/org/apache/coyote/ajp/AjpMessage.java b/connectors/jk/java/org/apache/coyote/ajp/AjpMessage.java
index 38656ff..9e0ffc0 100644
--- a/connectors/jk/java/org/apache/coyote/ajp/AjpMessage.java
+++ b/connectors/jk/java/org/apache/coyote/ajp/AjpMessage.java
@@ -297,11 +297,13 @@
     public int getInt() {
         int b1 = buf[pos++] & 0xFF;
         int b2 = buf[pos++] & 0xFF;
+        validatePos(pos);
         return (b1<<8) + b2;
     }
 
 
     public int peekInt() {
+        validatePos(pos + 2);
         int b1 = buf[pos] & 0xFF;
         int b2 = buf[pos+1] & 0xFF;
         return (b1<<8) + b2;
@@ -310,25 +312,41 @@
     
     public byte getByte() {
         byte res = buf[pos++];
+        validatePos(pos);
         return res;
     }
 
     
     public byte peekByte() {
+        validatePos(pos + 1);
         byte res = buf[pos];
         return res;
     }
 
-    
     public void getBytes(MessageBytes mb) {
+        doGetBytes(mb, true);
+    }
+    
+    public void getBodyBytes(MessageBytes mb) {
+        doGetBytes(mb, false);
+    }
+    
+    private void doGetBytes(MessageBytes mb, boolean terminated) {
         int length = getInt();
         if ((length == 0xFFFF) || (length == -1)) {
             mb.recycle();
             return;
         }
+        if (terminated) {
+            validatePos(pos + length + 1);
+        } else {
+            validatePos(pos + length);
+        }
         mb.setBytes(buf, pos, length);
         pos += length;
-        pos++; // Skip the terminating \0
+        if (terminated) {
+            pos++; // Skip the terminating \0
+        }
     }
     
     
@@ -338,6 +356,7 @@
      * on the encoding.
      *
      * @return The number of bytes copied.
+     * @deprecated
      */
     public int getBytes(byte[] dest) {
         int length = getInt();
@@ -349,6 +368,7 @@
         if ((length == 0xFFFF) || (length == -1)) {
             return 0;
         }
+        validatePos(pos + length + 1);
 
         System.arraycopy(buf, pos, dest, 0, length);
         pos += length;
@@ -371,6 +391,7 @@
         b1 |= (buf[pos++] & 0xFF);
         b1 <<=8;
         b1 |= (buf[pos++] & 0xFF);
+        validatePos(pos);
         return  b1;
     }
 
@@ -419,6 +440,15 @@
     }
 
 
+    private void validatePos(int posToTest) {
+        if (posToTest > len + 4) {
+            // Trying to read data beyond the end of the AJP message
+            throw new ArrayIndexOutOfBoundsException(sm.getString(
+                    "ajpMessage.invalidPos", String.valueOf(posToTest)));
+        }
+    }
+
+
     // ------------------------------------------------------ Protected Methods
 
 
diff --git a/connectors/jk/java/org/apache/coyote/ajp/LocalStrings.properties b/connectors/jk/java/org/apache/coyote/ajp/LocalStrings.properties
index 1ce513e..acb859e 100644
--- a/connectors/jk/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/connectors/jk/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -49,4 +49,4 @@
 ajpmessage.overflow=Overflow error for buffer adding {0} bytes at position {1}
 ajpmessage.read=Requested {0} bytes exceeds message available data
 ajpmessage.invalid=Invalid message recieved with signature {0}
-
+ajpMessage.invalidPos=Requested read of bytes at position [{0}] which is beyond the end of the AJP message