28713 – Line too long - DoS Attack

Bug 28713 - Line too long - DoS Attack

Summary: Line too long - DoS Attack

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 4
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	4.0.3 Final
Hardware:	Other other

Importance:	P3 critical (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-04-30 14:36 UTC by Otavio Silva
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Otavio Silva 2004-04-30 14:36:00 UTC

Somebody is attacking my Tomcat Server sending a big HTTP header. When the 
server gets this request it throws an IOException and the HTTPProcessor hangs. 

The exception is:

HttpProcessor[80][1] process.parse
java.io.IOException: Line too long
	at org.apache.catalina.connector.http.SocketInputStream.readRequestLine
(SocketInputStream.java:271)
	at org.apache.catalina.connector.http.HttpProcessor.parseRequest
(HttpProcessor.java:695)
	at org.apache.catalina.connector.http.HttpProcessor.process
(HttpProcessor.java:959)
	at org.apache.catalina.connector.http.HttpProcessor.run
(HttpProcessor.java:1107)
	at java.lang.Thread.run(Unknown Source)


After all HTTPProcessors are hung every connection to the server fails. This 
issue is related to Bug 3511. The HTTP port is able to respond but cannot 
respond since there aren't processors available to handle the request. The 
catalina log keeps showing:

"HttpConnector[80] No processor available, rejecting this connection"

Are there any workarounds for this issue? I don't understand why the processor 
hangs since this should be a handled exception...

Thxs!

Comment 1 Mark Thomas 2004-07-21 19:54:22 UTC

This was fixed over two years ago in 4.0.4