From: Madhusudan Mathihalli Date: Wed, 12 May 2004 21:36:52 +0000 (+0000) Subject: Fix SEGV in 'shmcb' session cache: X-Git-Tag: pre_ajp_proxy~260 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8a35d297cfbbe3cf3c76d0dba5e6def189408a9d;p=apache Fix SEGV in 'shmcb' session cache: When a 'read' or 'write' to session cache is done, we need to check the size of the data being 'read' or 'written' to avoid buffer over-run. PR: 27751 Submitted by: Geoff Thorpe Reviewed by: Madhusudan Mathihalli git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103669 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 3c05367786..2732440cb6 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) Fix a potential SEGV in the 'shmcb' session cache when session data + size is greater than the size of the cache. PR 27751 + [Geoff Thorpe ] + *) Proxy server was deleting cookies that Apache had already assigned if the origin server had set any cookies. PR 27023. [Jim Jagielski] diff --git a/modules/ssl/ssl_scache_shmcb.c b/modules/ssl/ssl_scache_shmcb.c index 5d5e75c70b..fe8df27cf6 100644 --- a/modules/ssl/ssl_scache_shmcb.c +++ b/modules/ssl/ssl_scache_shmcb.c @@ -840,6 +840,10 @@ static void shmcb_cyclic_ntoc_memcpy( unsigned int dest_offset, unsigned char *src, unsigned int src_len) { + /* Cover the case that src_len > buf_size */ + if (src_len > buf_size) + src_len = buf_size; + /* Can it be copied all in one go? */ if (dest_offset + src_len < buf_size) /* yes */ @@ -863,6 +867,10 @@ static void shmcb_cyclic_cton_memcpy( unsigned int src_offset, unsigned int src_len) { + /* Cover the case that src_len > buf_size */ + if (src_len > buf_size) + src_len = buf_size; + /* Can it be copied all in one go? */ if (src_offset + src_len < buf_size) /* yes */