Skip to content

Prevent integer overflow when calculating the share in Http2UpgradeHandler##releaseBackLog.#996

Open
motingeyjr wants to merge 2 commits intoapache:9.0.xfrom
motingeyjr:pull/i234949/9.0.x
Open

Prevent integer overflow when calculating the share in Http2UpgradeHandler##releaseBackLog.#996
motingeyjr wants to merge 2 commits intoapache:9.0.xfrom
motingeyjr:pull/i234949/9.0.x

Conversation

@motingeyjr
Copy link
Copy Markdown

Hello, first PR here.

I ran into a case where I was encountering an Integer overflow during the calculation of share in the releaseBackLog() method.

Specifically, s.getConnectionAllocationRequested() * remaining was larger than the maximum size of an Integer and was being converted to a negative value.

This eventually resulted in an IllegalStateException, prior to the fix in Tomcat v9.0.113:

1774273408.510362 00005675:0024D48D XTOMHT2F: java.lang.IllegalArgumentException: newLimit < 0: (-1843 < 0)
1774273408.510363 00005675:0024D48D XTOMHT2F: at java.base/java.nio.Buffer.createLimitException(Buffer.java:395)
1774273408.510364 00005675:0024D48D XTOMHT2F: at java.base/java.nio.Buffer.limit(Buffer.java:369)
1774273408.510365 00005675:0024D48D XTOMHT2F: at java.base/java.nio.ByteBuffer.limit(ByteBuffer.java:1529)
1774273408.510366 00005675:0024D48D XTOMHT2F: at java.base/java.nio.ByteBuffer.limit(ByteBuffer.java:267)
1774273408.510367 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.Http2AsyncUpgradeHandler.writeBody(Http2AsyncUpgradeHandler.java:249)
1774273408.510368 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.Stream$StreamOutputBuffer.flush(Stream.java:1136)
1774273408.510369 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.Stream$StreamOutputBuffer.flush(Stream.java:1071)
1774273408.510370 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.Stream$StreamOutputBuffer.end(Stream.java:1174)
1774273408.510371 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.Http2OutputBuffer.end(Http2OutputBuffer.java:69)
1774273408.510372 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.StreamProcessor.finishResponse(StreamProcessor.java:272)
1774273408.510373 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:386)
1774273408.510374 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.Response.action(Response.java:200)
1774273408.510375 00005675:0024D48D XTOMHT2F: at app//org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:253)
1774273408.510376 00005675:0024D48D XTOMHT2F: at app//org.apache.catalina.connector.Response.finishResponse(Response.java:442)
1774273408.510377 00005675:0024D48D XTOMHT2F: at app//org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:373)
1774273408.510378 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:476)
1774273408.510379 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
1774273408.510380 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:102)
1774273408.510381 00005675:0024D48D XTOMHT2F: at app//org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
1774273408.510382 00005675:0024D48D XTOMHT2F: at app//org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973)
1774273408.510383 00005675:0024D48D XTOMHT2F: at app//org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491)
1774273408.510384 00005675:0024D48D XTOMHT2F: at app//org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
1774273408.510385 00005675:0024D48D XTOMHT2F: at java.base/java.lang.Thread.run(Thread.java:857)

@markt-asf
Copy link
Copy Markdown
Contributor

The fix (casting to long) is fine. I'm not convinced of the need for all the additional checks.

@motingeyjr
Copy link
Copy Markdown
Author

Hey Mark, thanks for the review. I've removed the 2 extra negative checks that didn't pertain to this actual fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants