37 lines
1.6 KiB
Diff
37 lines
1.6 KiB
Diff
From b0732610112cb2066b5e43a47a11008edfacee02 Mon Sep 17 00:00:00 2001
|
|
From: Flavia Rainone <frainone@redhat.com>
|
|
Date: Thu, 8 Jun 2023 01:22:47 -0300
|
|
Subject: [PATCH] [UNDERTOW-2280] CVE-2023-5379 At AjpReadListener, do not
|
|
close the connection if read is larger than maxRequestSize
|
|
|
|
Signed-off-by: Flavia Rainone <frainone@redhat.com>
|
|
|
|
Origin:
|
|
https://github.com/undertow-io/undertow/commit/b422fdf0f2a5a051a9cd1664ead8277e421a0083
|
|
---
|
|
.../java/io/undertow/server/protocol/ajp/AjpReadListener.java | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
|
|
index 8f9c94abb0..a9631b3717 100644
|
|
--- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
|
|
+++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
|
|
@@ -19,6 +19,7 @@
|
|
package io.undertow.server.protocol.ajp;
|
|
|
|
import io.undertow.UndertowLogger;
|
|
+import io.undertow.UndertowMessages;
|
|
import io.undertow.UndertowOptions;
|
|
import io.undertow.conduits.ConduitListener;
|
|
import io.undertow.conduits.EmptyStreamSourceConduit;
|
|
@@ -165,8 +166,7 @@ public void handleEvent(final StreamSourceChannel channel) {
|
|
}
|
|
if (read > maxRequestSize) {
|
|
UndertowLogger.REQUEST_LOGGER.requestHeaderWasTooLarge(connection.getPeerAddress(), maxRequestSize);
|
|
- safeClose(connection);
|
|
- return;
|
|
+ throw UndertowMessages.MESSAGES.badRequest();
|
|
}
|
|
} while (!state.isComplete());
|
|
|