cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java

Tue, 21 Aug 2001 11:30:14 -0700 

craigmcc    01/08/21 11:51:52

  Modified:    catalina/src/share/org/apache/catalina/core
                        StandardServer.java
  Log:
  Fix for a DoS attack against the shutdown port, that could cause an "out
  of memory" exception by sending a continuous stream of characters.  Now,
  Tomcat will only listen for enough characters to match or not-match the
  required password, then it shuts the port.
  
  PR: Bugzilla #3210
  Submitted by: Mike Price <[EMAIL PROTECTED]>
  
  Revision  Changes    Path
  1.8       +8 -6      
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java
  
  Index: StandardServer.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- StandardServer.java       2001/07/22 20:25:08     1.7
  +++ StandardServer.java       2001/08/21 18:51:52     1.8
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
 1.7 2001/07/22 20:25:08 pier Exp $
  - * $Revision: 1.7 $
  - * $Date: 2001/07/22 20:25:08 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardServer.java,v
 1.8 2001/08/21 18:51:52 craigmcc Exp $
  + * $Revision: 1.8 $
  + * $Date: 2001/08/21 18:51:52 $
    *
    * ====================================================================
    *
  @@ -87,7 +87,7 @@
    * (but not required) when deploying and starting Catalina.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.7 $ $Date: 2001/07/22 20:25:08 $
  + * @version $Revision: 1.8 $ $Date: 2001/08/21 18:51:52 $
    */
   
   public final class StandardServer
  @@ -289,9 +289,10 @@
                   continue;
               }
   
  -            // Read a line of characters from the socket
  +            // Read a set of characters from the socket
               StringBuffer command = new StringBuffer();
  -            while (true) {
  +            int expected = shutdown.length();
  +            while (expected > 0) {
                   int ch = -1;
                   try {
                       ch = stream.read();
  @@ -303,6 +304,7 @@
                   if (ch < 32)  // Control character or EOF terminates loop
                       break;
                   command.append((char) ch);
  +                expected--;
               }
   
               // Close the socket now that we are done with it

Reply via email to