From: Joe Orton <jorton@apache.org>
Date: Tue, 17 Aug 2004 16:31:23 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
X-Git-Tag: STRIKER_2_1_0_RC1~105
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=63b4ad0dcbd23eb38b128786d0fbe289c629b0ca;p=apache

* modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
handling for AP_MODE_SPECULATIVE.

PR: 30134


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@104687 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 72bc653a09..408dd28a1f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+     mod_ssl: Fix a segfault in the SSL input filter which could be
+     triggered if using "speculative" mode, for instance by a 
+     proxy request to an SSL server.  PR 30134  [Joe Orton]
+
   *) Add test_config hook, run only if httpd is invoked using -t.
      [Joe Orton]
 
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 29e9a650f8..671fa5a547 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -564,8 +564,12 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
         *len = bytes;
         if (inctx->mode == AP_MODE_SPECULATIVE) {
             /* We want to rollback this read. */
-            inctx->cbuf.value -= bytes;
-            inctx->cbuf.length += bytes;
+            if (inctx->cbuf.length > 0) {
+                inctx->cbuf.value -= bytes;
+                inctx->cbuf.length += bytes;
+            } else {
+                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
+            }
             return APR_SUCCESS;
         }
         /* This could probably be *len == wanted, but be safe from stray