Skip to content

Commit

Permalink
Add some comments for the fix for CVE-2018-8037
Browse files Browse the repository at this point in the history
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1837530 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
markt-asf committed Aug 6, 2018
1 parent 8a5c114 commit 4c04369
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
9 changes: 9 additions & 0 deletions java/org/apache/coyote/AbstractProcessor.java
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,15 @@ public abstract class AbstractProcessor extends AbstractProcessorLight implement
protected final Adapter adapter;
protected final AsyncStateMachine asyncStateMachine;
private volatile long asyncTimeout = -1;
/*
* Tracks the current async generation when a timeout is dispatched. In the
* time it takes for a container thread to be allocated and the timeout
* processing to start, it is possible that the application completes this
* generation of async processing and starts a new one. If the timeout is
* then processed against the new generation, response mix-up can occur.
* This field is used to ensure that any timeout event processed is for the
* current async generation. This prevents the response mix-up.
*/
private volatile long asyncTimeoutGeneration = 0;
protected final Request request;
protected final Response response;
Expand Down
8 changes: 8 additions & 0 deletions java/org/apache/coyote/AsyncStateMachine.java
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,14 @@ boolean isCompleting() {

private volatile AsyncState state = AsyncState.DISPATCHED;
private volatile long lastAsyncStart = 0;
/*
* Tracks the current generation of async processing for this state machine.
* The generation is incremented every time async processing is started. The
* primary purpose of this is to enable Tomcat to detect and prevent
* attempts to process an event for a previous generation with the current
* generation as processing such an event usually ends badly:
* e.g. CVE-2018-8037.
*/
private final AtomicLong generation = new AtomicLong(0);
// Need this to fire listener on complete
private AsyncContextCallback asyncCtxt = null;
Expand Down

0 comments on commit 4c04369

Please sign in to comment.