tomcat/CVE-2023-28709.patch

From fbd81421629afe8b8a3922d59020cde81caea861 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 11 Apr 2023 16:41:44 +0100
Subject: [PATCH] Fix parameter counting logic

Origin: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861

---
 java/org/apache/tomcat/util/http/Parameters.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/tomcat/util/http/Parameters.java b/java/org/apache/tomcat/util/http/Parameters.java
index 08c6ffd..a19453d 100644
--- a/java/org/apache/tomcat/util/http/Parameters.java
+++ b/java/org/apache/tomcat/util/http/Parameters.java
@@ -205,14 +205,14 @@ public final class Parameters {
             return;
         }
 
-        parameterCount ++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString(
                     "parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount ++;
 
         ArrayList<String> values = paramHashValues.get(key);
         if (values == null) {
-- 
2.33.0