Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Jon Scott Stevens]

on 1/31/02 12:56 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:

> craigmcc02/01/31 12:56:03
> 
> Modified:catalina/src/share/org/apache/catalina/connector/http
>   HttpConnector.java
>  catalina/src/share/org/apache/catalina/core
>   StandardServer.java
> Log:
> Enhance the exception message produced when creating a server socket
> fails (typically due to an "Address in use" situation) to include the
> port number of the failed open.
> 
> Enhancements to the proposed patch include:
> * If the socket is only for a particular IP address, report that also.
> * Add a similar enhancement to the message for the shutdown port opening
>   (although you will normally encounter an error on the connector before
>   running in to this one).
> 
> PR: Bugzilla #6130
> Submitted by:Jon Stevens <[EMAIL PROTECTED]>
> 
> Revision  ChangesPath
> 1.30  +16 -6 
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpC
> onnector.java
> 
> Index: HttpConnector.java
> ===
> RCS file: 
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/
> http/HttpConnector.java,v
> retrieving revision 1.29
> retrieving revision 1.30
> diff -u -r1.29 -r1.30
> --- HttpConnector.java20 Dec 2001 21:25:23 -1.29
> +++ HttpConnector.java31 Jan 2002 20:56:03 -1.30
> @@ -1,7 +1,7 @@
>  /*
> - * $Header: 
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/
> http/HttpConnector.java,v 1.29 2001/12/20 21:25:23 remm Exp $
> - * $Revision: 1.29 $
> - * $Date: 2001/12/20 21:25:23 $
> + * $Header: 
> /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/
> http/HttpConnector.java,v 1.30 2002/01/31 20:56:03 craigmcc Exp $
> + * $Revision: 1.30 $
> + * $Date: 2002/01/31 20:56:03 $
>   *
>   * 
>   *
> @@ -66,6 +66,7 @@
>  
>  
>  import java.io.IOException;
> +import java.net.BindException;
>  import java.net.InetAddress;
>  import java.net.ServerSocket;
>  import java.net.Socket;
> @@ -102,7 +103,7 @@
>   *
>   * @author Craig R. McClanahan
>   * @author Remy Maucherat
> - * @version $Revision: 1.29 $ $Date: 2001/12/20 21:25:23 $
> + * @version $Revision: 1.30 $ $Date: 2002/01/31 20:56:03 $
>   */
>  
>  
> @@ -972,14 +973,23 @@
>  // If no address is specified, open a connection on all addresses
>  if (address == null) {
>  log(sm.getString("httpConnector.allAddresses"));
> -return (factory.createSocket(port, acceptCount));
> +try {
> +return (factory.createSocket(port, acceptCount));
> +} catch (BindException be) {
> +throw new BindException(be.getMessage() + ":" + port);
> +}
>  }
>  
>  // Open a server socket on the specified address
>  try {
>  InetAddress is = InetAddress.getByName(address);
>  log(sm.getString("httpConnector.anAddress", address));
> -return (factory.createSocket(port, acceptCount, is));
> +try {
> +return (factory.createSocket(port, acceptCount, is));
> +} catch (BindException be) {
> +throw new BindException(be.getMessage() + ":" + address +
> +":" + port);
> +}
>  } catch (Exception e) {
>  log(sm.getString("httpConnector.noAddress", address));
>  return (factory.createSocket(port, acceptCount));

Hey Craig, there is another factory.createSocket that gets created in the
catch clause right above...seems that that should be in a
try/catch(BindException) as well, doesn't it?

That is why I originally wrapped so much of the code in a single
try/catch...

-jon


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Jon Scott Stevens]

Thanks guys for making the changes...I'm sorry I didn't come up with a
perfect patch that would be easily applied, I just didn't want to step on
toes or do something wrong as a result of my lack of familiarity of the
entire code base.

thanks,

-jon

on 1/31/02 1:13 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:

> On Thu, 31 Jan 2002, Remy Maucherat wrote:
> 
>> Date: Thu, 31 Jan 2002 13:06:35 -0800
>> From: Remy Maucherat <[EMAIL PROTECTED]>
>> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
>> To: Tomcat Developers List <[EMAIL PROTECTED]>
>> Subject: Re: cvs commit:
>> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core
>> StandardServer.java
>> 
>   PR: Bugzilla #6130
>   Submitted by: Jon Stevens <[EMAIL PROTECTED]>
 
 +1 for the change.
>>> 
>>> Does that mean ok for 4.0.2 as well?
>> 
>> Nope, but +1 too. I don't see what anything it could break.
>> 
> 
> OK, will do it in a sec.
> 
>> Remy
>> 
>> 
> 
> Craig


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Carlos Gaston Alvarez]

forget it, I saw the other answers. Sorry.

- Original Message -
From: "Carlos Gaston Alvarez" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 24, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java


> Just a security issue.
> Confirm that you are not listening only the necessary characters to know
> that it doesnt match, that you are listening more. Because if you stop it
> just when you know it will not match a hacker can easyly guest with is the
> password. You should have a (big) min to listen before stopping it.
> Sorry is this mail is useless (most probably), just a thought.
>
> Chau,
>
> Gaston
>
>

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Carlos Gaston Alvarez]

Just a security issue.
Confirm that you are not listening only the necessary characters to know
that it doesnt match, that you are listening more. Because if you stop it
just when you know it will not match a hacker can easyly guest with is the
password. You should have a (big) min to listen before stopping it.
Sorry is this mail is useless (most probably), just a thought.

Chau,

Gaston


- Original Message -
From: "Pier P. Fumagalli" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 21, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java


> Justin Erenkrantz at [EMAIL PROTECTED] wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
> >> craigmcc01/08/21 11:51:52
> >>
> >>   Modified:catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >>   Log:
> >>   Fix for a DoS attack against the shutdown port, that could cause an
"out
> >>   of memory" exception by sending a continuous stream of characters.
Now,
> >>   Tomcat will only listen for enough characters to match or not-match
the
> >>   required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
>
> Good point... :(
>
> Pier
>

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Christopher Cain]

"Craig R. McClanahan" wrote:
> 
> On Tue, 21 Aug 2001, Christopher Cain wrote:

[snip]

> > Now, if you could just add a small random value to "expected" before you
> > drop into the "while > 0" loop to make it non-deterministic , please ...
> >
> > (just kidding ;-)
> >
> 
> Don't laugh.  That's what I had actually implemented after doing the +=
> 1024 thing, but I just hadn't saved it away.
> 
> Craig

Oh ... hahaha ... I thought you'd think I was being a paranoid
crypto-weenie. I guess great minds just think alike ;-)

I do that editor thing all the time too. Mostly when I change something,
do a build, run it, then wonder why custom debug output didn't show up.
D'oh! =)

- Christopher

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Craig R. McClanahan]

On Tue, 21 Aug 2001, Christopher Cain wrote:

> 
> 
> "Craig R. McClanahan" wrote:
> > 
> > On Tue, 21 Aug 2001, Christopher Cain wrote:
> > 
> > > "Pier P. Fumagalli" wrote:
> > > >
> > > > Justin Erenkrantz at [EMAIL PROTECTED] wrote:
> > > >
> > > > > On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
> > > > >> craigmcc01/08/21 11:51:52
> > > > >>
> > > > >>   Modified:catalina/src/share/org/apache/catalina/core
> > > > >> StandardServer.java
> > > > >>   Log:
> > > > >>   Fix for a DoS attack against the shutdown port, that could cause an "out
> > > > >>   of memory" exception by sending a continuous stream of characters.  Now,
> > > > >>   Tomcat will only listen for enough characters to match or not-match the
> > > > >>   required password, then it shuts the port.
> > > > >
> > > > > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
> > > >
> > > > Good point... :(
> > > >
> > > > Pier
> > >
> > > It is a good point. Might I suggest shutting it off at an arbitrary
> > > limit instead ... say, 100 characters?
> > >
> > 
> > 100 is a little short for paranoid sysadmins that use a really long
> > password :-).  But you'll get a kick out of what I did implement :-).
> 
> Ahhh ... a padded limit ... I likes it, I likes it =)
> 
> Now, if you could just add a small random value to "expected" before you
> drop into the "while > 0" loop to make it non-deterministic , please ...
> 
> (just kidding ;-)
> 

Don't laugh.  That's what I had actually implemented after doing the +=
1024 thing, but I just hadn't saved it away.

> - Christopher
> 

Craig

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Christopher Cain]

"Craig R. McClanahan" wrote:
> 
> On Tue, 21 Aug 2001, Christopher Cain wrote:
> 
> > "Pier P. Fumagalli" wrote:
> > >
> > > Justin Erenkrantz at [EMAIL PROTECTED] wrote:
> > >
> > > > On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
> > > >> craigmcc01/08/21 11:51:52
> > > >>
> > > >>   Modified:catalina/src/share/org/apache/catalina/core
> > > >> StandardServer.java
> > > >>   Log:
> > > >>   Fix for a DoS attack against the shutdown port, that could cause an "out
> > > >>   of memory" exception by sending a continuous stream of characters.  Now,
> > > >>   Tomcat will only listen for enough characters to match or not-match the
> > > >>   required password, then it shuts the port.
> > > >
> > > > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
> > >
> > > Good point... :(
> > >
> > > Pier
> >
> > It is a good point. Might I suggest shutting it off at an arbitrary
> > limit instead ... say, 100 characters?
> >
> 
> 100 is a little short for paranoid sysadmins that use a really long
> password :-).  But you'll get a kick out of what I did implement :-).

Ahhh ... a padded limit ... I likes it, I likes it =)

Now, if you could just add a small random value to "expected" before you
drop into the "while > 0" loop to make it non-deterministic , please ...

(just kidding ;-)

- Christopher

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Craig R. McClanahan]

On Tue, 21 Aug 2001, Christopher Cain wrote:

> "Pier P. Fumagalli" wrote:
> > 
> > Justin Erenkrantz at [EMAIL PROTECTED] wrote:
> > 
> > > On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
> > >> craigmcc01/08/21 11:51:52
> > >>
> > >>   Modified:catalina/src/share/org/apache/catalina/core
> > >> StandardServer.java
> > >>   Log:
> > >>   Fix for a DoS attack against the shutdown port, that could cause an "out
> > >>   of memory" exception by sending a continuous stream of characters.  Now,
> > >>   Tomcat will only listen for enough characters to match or not-match the
> > >>   required password, then it shuts the port.
> > >
> > > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
> > 
> > Good point... :(
> > 
> > Pier
> 
> It is a good point. Might I suggest shutting it off at an arbitrary
> limit instead ... say, 100 characters?
> 

100 is a little short for paranoid sysadmins that use a really long
password :-).  But you'll get a kick out of what I did implement :-).

> - Christopher
> 

Craig

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Christopher Cain]

"Pier P. Fumagalli" wrote:
> 
> Justin Erenkrantz at [EMAIL PROTECTED] wrote:
> 
> > On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
> >> craigmcc01/08/21 11:51:52
> >>
> >>   Modified:catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >>   Log:
> >>   Fix for a DoS attack against the shutdown port, that could cause an "out
> >>   of memory" exception by sending a continuous stream of characters.  Now,
> >>   Tomcat will only listen for enough characters to match or not-match the
> >>   required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is.  =-)  -- justin
> 
> Good point... :(
> 
> Pier

It is a good point. Might I suggest shutting it off at an arbitrary
limit instead ... say, 100 characters?

- Christopher

Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java

[Pier P. Fumagalli]

Justin Erenkrantz at [EMAIL PROTECTED] wrote:

> On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote:
>> craigmcc01/08/21 11:51:52
>> 
>>   Modified:catalina/src/share/org/apache/catalina/core
>> StandardServer.java
>>   Log:
>>   Fix for a DoS attack against the shutdown port, that could cause an "out
>>   of memory" exception by sending a continuous stream of characters.  Now,
>>   Tomcat will only listen for enough characters to match or not-match the
>>   required password, then it shuts the port.
> 
> Now I'll know exactly how long the shutdown password is.  =-)  -- justin

Good point... :(

Pier