* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback

handling for AP_MODE_SPECULATIVE.

PR: 30134

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@104687 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 72bc653a097944ef8bedb01c895e1a5df51afbf5..408dd28a1f509fd781db7b420012d4232633fc9f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+     mod_ssl: Fix a segfault in the SSL input filter which could be
+     triggered if using "speculative" mode, for instance by a 
+     proxy request to an SSL server.  PR 30134  [Joe Orton]
+
   *) Add test_config hook, run only if httpd is invoked using -t.
      [Joe Orton]
 

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 29e9a650f8c53d4fe8ee1bdd6b9f91324a1584e5..671fa5a5476904e18b0517ff9ad12d9a6937dcd0 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -564,8 +564,12 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
         *len = bytes;
         if (inctx->mode == AP_MODE_SPECULATIVE) {
             /* We want to rollback this read. */
-            inctx->cbuf.value -= bytes;
-            inctx->cbuf.length += bytes;
+            if (inctx->cbuf.length > 0) {
+                inctx->cbuf.value -= bytes;
+                inctx->cbuf.length += bytes;
+            } else {
+                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
+            }
             return APR_SUCCESS;
         }
         /* This could probably be *len == wanted, but be safe from stray