From: Markus Koschany <apo@debian.org>
Date: Sun, 26 Jun 2016 19:14:54 +0200
Subject: CVE-2016-3092
A denial of service vulnerability was identified in Commons FileUpload that
occurred when the length of the multipart boundary was just below the size of
the buffer (4096 bytes) used to read the uploaded file. This caused the file
upload process to take several orders of magnitude longer than if the boundary
was the typical tens of bytes long.
Upstream advisory:
http://markmail.org/message/oyxfv73jb2g7rjg3
Origin: https://svn.apache.org/r1743480
Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742
---
.../apache/tomcat/util/http/fileupload/MultipartStream.java | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
index ed5c456..a22db76 100644
--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-02-08 21:32:01.000000000 +0100
+++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-07-02 14:45:42.313841373 +0200
@@ -282,11 +282,10 @@
byte[] boundary,
int bufSize,
ProgressNotifier pNotifier) {
- this.input = input;
- this.bufSize = bufSize;
- this.buffer = new byte[bufSize];
- this.notifier = pNotifier;
+ if (boundary == null) {
+ throw new IllegalArgumentException("boundary may not be null");
+ }
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
@@ -294,6 +293,11 @@
throw new IllegalArgumentException(
"The buffer size specified for the MultipartStream is too small");
}
+ this.input = input;
+ this.bufSize = Math.max(bufSize, boundaryLength*2);
+ this.buffer = new byte[this.bufSize];
+ this.notifier = pNotifier;
+
this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
fc5e9d522e1a2b6ff7cb7ceaa04997d8
>
files
>
1
