Bug 48719

Summary: [BUG] mod_proxy_ajp return wrong error message when client cookie is very big
Product: Apache httpd-2 Reporter: Kevin Q <qu-chunguang>
Component: mod_proxy_ajpAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: qu-chunguang
Priority: P2 Keywords: ErrorMessage
Version: 2.2.4   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: test jsp page

Description Kevin Q 2010-02-09 22:56:37 UTC
Created attachment 24959 [details]
test jsp page

1 error in apache-mod_proxy_ajp
1.1 In apache-mod_proxy_ajp-tomcat connection,
when jsp page on tomcat trys to create a very big cookie(about 8000B) to user explorer, (or just try to read a very big cookie from user explorer),
error occurs.

With the size of cookie changed,
the following error log generated(in apache/logs/error_log):

--
[Tue Feb 09 14:02:40 2010] [error] ajp_msg_get_string(): 
BufferOverflowException 8188 8192
[Tue Feb 09 14:02:40 2010] [error] ajp_unmarshal_response: Null header name
[Tue Feb 09 14:02:40 2010] [error] (120001)APR does not understand this 
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)

--
[Tue Feb 09 12:37:22 2010] [error] ajp_check_msg_header() incoming message 
is too big 8196, max is 8192
[Tue Feb 09 12:37:22 2010] [error] ajp_ilink_receive() received bad header
[Tue Feb 09 12:37:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 12:37:22 2010] [error] (120007)APR does not understand this 
error code: proxy: send body failed to 172.28.14.243:8009 (172.28.14.243)

--
[Tue Feb 09 13:42:22 2010] [error] (70014)End of file found: 
ajp_ilink_receive() can't receive header
[Tue Feb 09 13:42:22 2010] [error] ajp_read_header: ajp_ilink_receive failed
[Tue Feb 09 13:42:22 2010] [error] (120006)APR does not understand this 
error code: proxy: read response failed from 172.28.14.243:8009 
(172.28.14.243)

And with the size of cookie changed,different error message 
return to user explorer. 
But not describe the truly reason (cookie or url or just ajp_header are out of limit).

1.2 source check

1.2.1 base source
  + Apache 2.2.4 mod_proxy_ajp
  + Tomcat 5.5.23 connectors/ajp

1.2.2 source extraction
--SEND (apache_tomcat_ajp)--
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_msg.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_link.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/src/ajp_header.c
//apache-tomcat-5.5.23-src/connectors/ajp/ajplib/include/ajp_header.h
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/proxy_ajp.c
//apache-tomcat-5.5.23-src/connectors/ajp/proxy/mod_proxy.c
ap_proxy_ajp_request(){
    ... ...
    ajp_send_header();
    ... ...
}

ajp_send_header(){
    ... ...
    ajp_msg_create();
    ajp_malshal_to_msgb();
    ajp_ilink_send();
    ... ...
}

ajp_msg_create(){
    ... ...
    msg->len=0;
    msg->header_len=4;
    ... ...
}

ajp_malshal_to_msgb(){
    ... ...
    ajp_msg_append_*();    // msg->len += 1/2/4/...
}

ajp_ilink_send(){
    ... ...
    ajp_msg_end();
    ... ...
}

ajp_msg_append_uint8(){
    if((msg->len + 1) >= 8KB)    // <== ERROR: msg->len + 4 
(msg->header_len) + 1 >= 8KB
        // <== fine process for too big error
}

ajp_msg_end(){
    ... ...
    // write prefix 2 bytes to buf[0-1]
    ... ...
    // write len (msg->len - 4) 2 bytes to buf[2-3]
    len = msg->len - 4;        // <== ERROR: msg->len used as save buf used 
length
    ... ...
}

--RECEIVE(apache_mod_proxy_ajp)--
//httpd-2.2.4/modules/proxy/apj_msg.c

ajp_msg_chech_heaher(){
    ... ...
    // get msglen from buf
    if(msglen > 8KB){    // <== ERROR: msglen used as save buf used length
        // output: [Wed Dec 30 14:17:43 2009] [error] ajp_check_msg_header() 
incoming message is too big 8196, max is 8192
        // this message should nerver appear
    }
    ... ...
}

1.3 wrong use of len(in struct ajp_msg)/header_len/msglen(in ajp_header buf).
It seems that these three value has different meaning in describe the ajp_header. But in two places, it was used in different meaning.
So that when the ajp_header size reached about AJP_MSG_BUFFER_SZ,
error occurs in many places.

2 For many applications' necessory,
we suggest the value of AJP_MSG_BUFFER_SZ up to 16KB.
This value should be a good balance between performance and availability.

3 wrong function name in log output.
apache/modules/proxy/ajp_msg.c:
line: 102 function name error.
line: 113 function name error.

4 test jsp page (in attachment)