tomcat/CVE-2021-25122.patch

From 7b8b7134813a356595eacf01fd9e8ea6b3752c8b Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Thu, 11 Mar 2021 18:42:09 +0800
Subject: [PATCH] Simplify the code and fix an edge case for BZ 64830

https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
 java/org/apache/coyote/AbstractProtocol.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
index 9f83906..b5c4d5b 100644
--- a/java/org/apache/coyote/AbstractProtocol.java
+++ b/java/org/apache/coyote/AbstractProtocol.java
@@ -766,8 +766,10 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
                     if (state == SocketState.UPGRADING) {
                         // Get the HTTP upgrade handler
                         UpgradeToken upgradeToken = processor.getUpgradeToken();
-                        // Retrieve leftover input
+                        // Restore leftover input to the wrapper so the upgrade
+                        // processor can process it.
                         ByteBuffer leftOverInput = processor.getLeftoverInput();
+                        wrapper.unRead(leftOverInput);
                         if (upgradeToken == null) {
                             // Assume direct HTTP/2 connection
                             UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
@@ -776,7 +778,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
                                 release(processor);
                                 // Create the upgrade processor
                                 processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
-                                wrapper.unRead(leftOverInput);
                                 // Associate with the processor with the connection
                                 connections.put(socket, processor);
                             } else {
@@ -798,7 +799,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
                                 getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
                                         processor, wrapper));
                             }
-                            wrapper.unRead(leftOverInput);
                             // Associate with the processor with the connection
                             connections.put(socket, processor);
                             // Initialise the upgrade handler (which may trigger
-- 
2.23.0