Bail on computing the amount of bytes in a brigade if any of the buckets

have indeterminate length (e.g., a pipe bucket). Passing an invalid length
into mod_mem_cache can cause it to overflow its cache buffer.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93698 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/experimental/mod_cache.c b/modules/experimental/mod_cache.c
index f7055d51fc922c89aae3a3382ff870ca0d362d85..c72b15d531dec6c67c605c1b1ead802d33e6156b 100644 (file)
--- a/modules/experimental/mod_cache.c
+++ b/modules/experimental/mod_cache.c
@@ -578,6 +578,9 @@ static int cache_in_filter(ap_filter_t *f, apr_bucket_brigade *in)
                 if (APR_BUCKET_IS_FLUSH(e)) {
                     continue;
                 }
+                if (e->length < 0) {
+                    break;
+                }
                 size += e->length;
             }