From: Markus Koschany <apo@debian.org> Date: Sun, 26 Jun 2016 19:14:54 +0200 Subject: CVE-2016-3092 A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long. Upstream advisory: http://markmail.org/message/oyxfv73jb2g7rjg3 Origin: https://svn.apache.org/r1743480 Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742 --- .../apache/tomcat/util/http/fileupload/MultipartStream.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java index ed5c456..a22db76 100644 --- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-02-08 21:32:01.000000000 +0100 +++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-07-02 14:45:42.313841373 +0200 @@ -282,11 +282,10 @@ byte[] boundary, int bufSize, ProgressNotifier pNotifier) { - this.input = input; - this.bufSize = bufSize; - this.buffer = new byte[bufSize]; - this.notifier = pNotifier; + if (boundary == null) { + throw new IllegalArgumentException("boundary may not be null"); + } // We prepend CR/LF to the boundary to chop trailing CR/LF from // body-data tokens. this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; @@ -294,6 +293,11 @@ throw new IllegalArgumentException( "The buffer size specified for the MultipartStream is too small"); } + this.input = input; + this.bufSize = Math.max(bufSize, boundaryLength*2); + this.buffer = new byte[this.bufSize]; + this.notifier = pNotifier; + this.boundary = new byte[this.boundaryLength]; this.keepRegion = this.boundary.length;