cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/net TcpConnection.java

[billbarker]

billbarker    02/02/07 19:10:48

  Modified:    src/share/org/apache/tomcat/util/net TcpConnection.java
  Log:
  Prevent a possible DoS exploit.
  
  The last fix opens the possiblity of a DoS attack by continuously streaming data to 
Tomcat.  This should be a good compromise between being nice and staying alive.
  
  Thanks to Costin for making me aware of this potential problem.
  
  Revision  Changes    Path
  1.4       +12 -4     
jakarta-tomcat/src/share/org/apache/tomcat/util/net/TcpConnection.java
  
  Index: TcpConnection.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/TcpConnection.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- TcpConnection.java        2 Feb 2002 03:24:32 -0000       1.3
  +++ TcpConnection.java        8 Feb 2002 03:10:48 -0000       1.4
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/TcpConnection.java,v 1.3 
2002/02/02 03:24:32 billbarker Exp $
  - * $Revision: 1.3 $
  - * $Date: 2002/02/02 03:24:32 $
  + * $Header: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/net/TcpConnection.java,v 1.4 
2002/02/08 03:10:48 billbarker Exp $
  + * $Revision: 1.4 $
  + * $Date: 2002/02/08 03:10:48 $
    *
    * ====================================================================
    *
  @@ -72,6 +72,10 @@
    *
    */
   public class TcpConnection  { // implements Endpoint {
  +    /**
  +     * Maxium number of times to clear the socket input buffer.
  +     */
  +    static  int MAX_SHUTDOWN_TRIES=20;
   
       public TcpConnection() {
       }
  @@ -81,6 +85,9 @@
       PoolTcpEndpoint endpoint;
       Socket socket;
   
  +    public static void setMaxShutdownTries(int mst) {
  +     MAX_SHUTDOWN_TRIES = mst;
  +    }
       public void setEndpoint(PoolTcpEndpoint endpoint) {
        this.endpoint = endpoint;
       }
  @@ -129,12 +136,13 @@
        try {
            InputStream is = socket.getInputStream();
            int available = is.available ();
  +         int count=0;
            
            // XXX on JDK 1.3 just socket.shutdownInput () which
            // was added just to deal with such issues.
            
            // skip any unread (bogus) bytes
  -         while (available > 0) {
  +         while (available > 0 && count++ < MAX_SHUTDOWN_TRIES) {
                is.skip (available);
                available = is.available();
            }
  
  
  

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>