Blame SOURCES/tomcat-7.0.76-CVE-2017-5647.patch

9a9096
--- java/org/apache/coyote/AbstractProtocol.java.orig	2017-08-18 09:12:05.149568367 -0400
9a9096
+++ java/org/apache/coyote/AbstractProtocol.java	2017-08-18 09:12:55.998699189 -0400
9a9096
@@ -693,10 +693,10 @@
9a9096
                     release(wrapper, processor, false, true);
9a9096
                 } else if (state == SocketState.SENDFILE) {
9a9096
                     // Sendfile in progress. If it fails, the socket will be
9a9096
-                    // closed. If it works, the socket will be re-added to the
9a9096
-                    // poller
9a9096
-                    connections.remove(socket);
9a9096
-                    release(wrapper, processor, false, false);
9a9096
+                    // closed. If it works, the socket either be added to the
9a9096
+                    // poller (or equivalent) to await more data or processed
9a9096
+                    // if there are any pipe-lined requests remaining.
9a9096
+                    connections.put(socket, processor);
9a9096
                 } else if (state == SocketState.UPGRADED) {
9a9096
                     // Need to keep the connection associated with the processor
9a9096
                     connections.put(socket, processor);
9a9096
--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2017-06-08 16:23:31.983000742 -0400
9a9096
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2017-06-08 16:23:31.999000805 -0400
9a9096
@@ -38,6 +38,7 @@
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
9a9096
 import org.apache.tomcat.util.net.AprEndpoint;
9a9096
 import org.apache.tomcat.util.net.SSLSupport;
9a9096
+import org.apache.tomcat.util.net.SendfileKeepAliveState;
9a9096
 import org.apache.tomcat.util.net.SocketStatus;
9a9096
 import org.apache.tomcat.util.net.SocketWrapper;
9a9096
 
9a9096
@@ -211,7 +212,15 @@
9a9096
         // Do sendfile as needed: add socket to sendfile and end
9a9096
         if (sendfileData != null && !getErrorState().isError()) {
9a9096
             sendfileData.socket = socketWrapper.getSocket().longValue();
9a9096
-            sendfileData.keepAlive = keepAlive;
9a9096
+            if (keepAlive) {
9a9096
+                if (getInputBuffer().available() == 0) {
9a9096
+                    sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
9a9096
+                } else {
9a9096
+                    sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
9a9096
+                }
9a9096
+            } else {
9a9096
+                sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
9a9096
+            }
9a9096
             switch (((AprEndpoint)endpoint).getSendfile().add(sendfileData)) {
9a9096
             case DONE:
9a9096
                 return false;
9a9096
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2017-06-08 16:23:31.984000746 -0400
9a9096
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2017-06-08 16:23:32.000000809 -0400
9a9096
@@ -37,6 +37,7 @@
9a9096
 import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment;
9a9096
 import org.apache.tomcat.util.net.SSLSupport;
9a9096
 import org.apache.tomcat.util.net.SecureNioChannel;
9a9096
+import org.apache.tomcat.util.net.SendfileKeepAliveState;
9a9096
 import org.apache.tomcat.util.net.SocketStatus;
9a9096
 import org.apache.tomcat.util.net.SocketWrapper;
9a9096
 
9a9096
@@ -275,7 +276,15 @@
9a9096
         // Do sendfile as needed: add socket to sendfile and end
9a9096
         if (sendfileData != null && !getErrorState().isError()) {
9a9096
             ((KeyAttachment) socketWrapper).setSendfileData(sendfileData);
9a9096
-            sendfileData.keepAlive = keepAlive;
9a9096
+            if (keepAlive) {
9a9096
+                if (getInputBuffer().available() == 0) {
9a9096
+                    sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
9a9096
+                } else {
9a9096
+                    sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
9a9096
+                }
9a9096
+            } else {
9a9096
+                sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
9a9096
+            }
9a9096
             SelectionKey key = socketWrapper.getSocket().getIOChannel().keyFor(
9a9096
                     socketWrapper.getSocket().getPoller().getSelector());
9a9096
             //do the first write on this thread, might as well
9a9096
--- java/org/apache/tomcat/util/net/AprEndpoint.java.orig	2017-06-08 16:23:31.985000750 -0400
9a9096
+++ java/org/apache/tomcat/util/net/AprEndpoint.java	2017-06-08 16:23:32.001000813 -0400
9a9096
@@ -2106,7 +2106,7 @@
9a9096
         // Position
9a9096
         public long pos;
9a9096
         // KeepAlive flag
9a9096
-        public boolean keepAlive;
9a9096
+        public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE;
9a9096
     }
9a9096
 
9a9096
 
9a9096
@@ -2349,20 +2349,33 @@
9a9096
                             state.pos = state.pos + nw;
9a9096
                             if (state.pos >= state.end) {
9a9096
                                 remove(state);
9a9096
-                                if (state.keepAlive) {
9a9096
+                                switch (state.keepAliveState) {
9a9096
+                                case NONE: {
9a9096
+                                    // Close the socket since this is
9a9096
+                                    // the end of the not keep-alive request.
9a9096
+                                    closeSocket(state.socket);
9a9096
+                                    break;
9a9096
+                                }
9a9096
+                                case PIPELINED: {
9a9096
+                                    // Destroy file descriptor pool, which should close the file
9a9096
+                                    Pool.destroy(state.fdpool);
9a9096
+                                    Socket.timeoutSet(state.socket, getSoTimeout() * 1000);
9a9096
+                                    // Process the pipelined request data
9a9096
+                                    if (!processSocket(state.socket, SocketStatus.OPEN_READ)) {
9a9096
+                                        closeSocket(state.socket);
9a9096
+                                    }
9a9096
+                                    break;
9a9096
+                                }
9a9096
+                                case OPEN: {
9a9096
                                     // Destroy file descriptor pool, which should close the file
9a9096
                                     Pool.destroy(state.fdpool);
9a9096
-                                    Socket.timeoutSet(state.socket,
9a9096
-                                            getSoTimeout() * 1000);
9a9096
-                                    // If all done put the socket back in the
9a9096
-                                    // poller for processing of further requests
9a9096
-                                    getPoller().add(
9a9096
-                                            state.socket, getKeepAliveTimeout(),
9a9096
+                                    Socket.timeoutSet(state.socket, getSoTimeout() * 1000);
9a9096
+                                    // Put the socket back in the poller for
9a9096
+                                    // processing of further requests
9a9096
+                                    getPoller().add(state.socket, getKeepAliveTimeout(),
9a9096
                                             true, false);
9a9096
-                                } else {
9a9096
-                                    // Close the socket since this is
9a9096
-                                    // the end of not keep-alive request.
9a9096
-                                    closeSocket(state.socket);
9a9096
+                                    break;
9a9096
+                                }
9a9096
                                 }
9a9096
                             }
9a9096
                         }
9a9096
--- java/org/apache/tomcat/util/net/NioEndpoint.java.orig	2017-06-08 16:23:31.987000757 -0400
9a9096
+++ java/org/apache/tomcat/util/net/NioEndpoint.java	2017-06-08 16:23:32.002000817 -0400
9a9096
@@ -1383,16 +1383,30 @@
9a9096
                     // responsible for registering the socket for the
9a9096
                     // appropriate event(s) if sendfile completes.
9a9096
                     if (!calledByProcessor) {
9a9096
-                        if ( sd.keepAlive ) {
9a9096
-                            if (log.isDebugEnabled()) {
9a9096
-                                log.debug("Connection is keep alive, registering back for OP_READ");
9a9096
-                            }
9a9096
-                            reg(sk,attachment,SelectionKey.OP_READ);
9a9096
-                        } else {
9a9096
+                        switch (sd.keepAliveState) {
9a9096
+                        case NONE: {
9a9096
                             if (log.isDebugEnabled()) {
9a9096
                                 log.debug("Send file connection is being closed");
9a9096
                             }
9a9096
                             cancelledKey(sk,SocketStatus.STOP,false);
9a9096
+                            break;
9a9096
+                        }
9a9096
+                        case PIPELINED: {
9a9096
+                            if (log.isDebugEnabled()) {
9a9096
+                                log.debug("Connection is keep alive, processing pipe-lined data");
9a9096
+                            }
9a9096
+                            if (!processSocket(sc, SocketStatus.OPEN_READ, true)) {
9a9096
+                                cancelledKey(sk, SocketStatus.DISCONNECT, false);
9a9096
+                            }
9a9096
+                            break;
9a9096
+                        }
9a9096
+                        case OPEN: {
9a9096
+                            if (log.isDebugEnabled()) {
9a9096
+                                log.debug("Connection is keep alive, registering back for OP_READ");
9a9096
+                            }
9a9096
+                            reg(sk, attachment, SelectionKey.OP_READ);
9a9096
+                            break;
9a9096
+                        }
9a9096
                         }
9a9096
                     }
9a9096
                     return SendfileState.DONE;
9a9096
@@ -1836,6 +1850,6 @@
9a9096
         public volatile long pos;
9a9096
         public volatile long length;
9a9096
         // KeepAlive flag
9a9096
-        public volatile boolean keepAlive;
9a9096
+        public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE;
9a9096
     }
9a9096
 }
9a9096
--- webapps/docs/changelog.xml.orig	2017-06-08 16:23:31.989000765 -0400
9a9096
+++ webapps/docs/changelog.xml	2017-06-08 16:25:23.618440723 -0400
9a9096
@@ -73,6 +73,13 @@
9a9096
       </fix>
9a9096
     </changelog>
9a9096
   </subsection>
9a9096
+  <subsection name="Coyote">
9a9096
+    <changelog>
9a9096
+      <fix>
9a9096
+        Improve sendfile handling when requests are pipelined. (markt)
9a9096
+      </fix>
9a9096
+    </changelog>
9a9096
+  </subsection>
9a9096
 </section>
9a9096
 <section name="Tomcat 7.0.76 (violetagg)">
9a9096
   <subsection name="Catalina">
9a9096
--- java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.orig	2017-06-08 16:23:31.992000777 -0400
9a9096
+++ java/org/apache/tomcat/util/net/SendfileKeepAliveState.java	2017-06-08 16:23:32.000000809 -0400
9a9096
@@ -0,0 +1,39 @@
9a9096
+/*
9a9096
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
9a9096
+ *  contributor license agreements.  See the NOTICE file distributed with
9a9096
+ *  this work for additional information regarding copyright ownership.
9a9096
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
9a9096
+ *  (the "License"); you may not use this file except in compliance with
9a9096
+ *  the License.  You may obtain a copy of the License at
9a9096
+ *
9a9096
+ *      http://www.apache.org/licenses/LICENSE-2.0
9a9096
+ *
9a9096
+ *  Unless required by applicable law or agreed to in writing, software
9a9096
+ *  distributed under the License is distributed on an "AS IS" BASIS,
9a9096
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9a9096
+ *  See the License for the specific language governing permissions and
9a9096
+ *  limitations under the License.
9a9096
+ */
9a9096
+package org.apache.tomcat.util.net;
9a9096
+
9a9096
+public enum SendfileKeepAliveState {
9a9096
+
9a9096
+    /**
9a9096
+     * Keep-alive is not in use. The socket can be closed when the response has
9a9096
+     * been written.
9a9096
+     */
9a9096
+    NONE,
9a9096
+
9a9096
+    /**
9a9096
+     * Keep-alive is in use and there is pipelined data in the input buffer to
9a9096
+     * be read as soon as the current response has been written.
9a9096
+     */
9a9096
+    PIPELINED,
9a9096
+
9a9096
+    /**
9a9096
+     * Keep-alive is in use. The socket should be added to the poller (or
9a9096
+     * equivalent) to await more data as soon as the current response has been
9a9096
+     * written.
9a9096
+     */
9a9096
+    OPEN
9a9096
+}