[UNDERTOW-2280] CVE-2023-5379 At AjpReadListener, do not close the co…

…nnection if read is larger than maxRequestSize Signed-off-by: Flavia Rainone <[email protected]>
undertow-io · Feb 21, 2024 · f8e0796 · f8e0796
1 parent 93d1549
commit f8e0796
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
@@ -19,6 +19,7 @@
 package io.undertow.server.protocol.ajp;
 
 import io.undertow.UndertowLogger;
+import io.undertow.UndertowMessages;
 import io.undertow.UndertowOptions;
 import io.undertow.conduits.ConduitListener;
 import io.undertow.conduits.EmptyStreamSourceConduit;
@@ -165,8 +166,9 @@ public void handleEvent(final StreamSourceChannel channel) {
                 }
                 if (read > maxRequestSize) {
                     UndertowLogger.REQUEST_LOGGER.requestHeaderWasTooLarge(connection.getPeerAddress(), maxRequestSize);
-                    safeClose(connection);
-                    return;
+                    //safeClose(connection);
+                    //return;
+                    throw UndertowMessages.MESSAGES.badRequest();
                 }
             } while (!state.isComplete());