Fix SEGV in 'shmcb' session cache:

When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103669 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 3c05367786bc02aa5b614595fbb0045074296de3..2732440cb601899c3df1f9a0b02646800b4f10a9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Fix a potential SEGV in the 'shmcb' session cache when session data
+     size is greater than the size of the cache. PR 27751
+     [Geoff Thorpe <geoff geoffthorpe.net>]
+
   *) Proxy server was deleting cookies that Apache had already
      assigned if the origin server had set any cookies. PR 27023.
      [Jim Jagielski]

diff --git a/modules/ssl/ssl_scache_shmcb.c b/modules/ssl/ssl_scache_shmcb.c
index 5d5e75c70bba659011a93a4b12bde33d4a805e5c..fe8df27cf6d784fd6159a869cb7d42a192424955 100644 (file)
--- a/modules/ssl/ssl_scache_shmcb.c
+++ b/modules/ssl/ssl_scache_shmcb.c
@@ -840,6 +840,10 @@ static void shmcb_cyclic_ntoc_memcpy(
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -863,6 +867,10 @@ static void shmcb_cyclic_cton_memcpy(
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */