Fix a potential memory overrun error in ap_get_client_block. The problem

is that the bucket code does not respect the length passed into it.  This
is correct for buckets, but it means that when we get data out of the
buckets, we may have to split the bucket to make sure that any copy
operations are safe.  We were originally doing the split at the number of
characters read from the bucket, but we really want to do it at the length
of the buffer.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86415 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index a3ebf727e0714e60518957547352aba91f2eb737..e62322497e4207e82d6a92e17f80b30368ceb8ec 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -2394,16 +2394,20 @@ API_EXPORT(long) ap_get_client_block(request_rec *r, char *buffer, int bufsiz)
         b = AP_BRIGADE_FIRST(r->connection->input_data);
         len_read = len_to_read;
         rv = b->read(b, &tempbuf, &len_read, 0);
-        if (len_read < b->length) {
-            b->split(b, len_read);
+        if (len_to_read < b->length) {
+            b->split(b, len_to_read);
         }
-        memcpy(buffer, tempbuf, len_read);
+        else {
+            len_to_read = len_read;
+        }
+
+        memcpy(buffer, tempbuf, len_to_read);
         AP_BUCKET_REMOVE(b);
         b->destroy(b);
 
-        r->read_length += len_read;
-        r->remaining -= len_read;
-        return len_read;
+        r->read_length += len_to_read;
+        r->remaining -= len_to_read;
+        return len_to_read;
     }
 
     /*