From 283760d18b9bd1c90f4534cc97aae3737c5a059d Mon Sep 17 00:00:00 2001 From: Ryan Bloom Date: Fri, 6 Oct 2000 16:41:30 +0000 Subject: [PATCH] Fix a potential memory overrun error in ap_get_client_block. The problem is that the bucket code does not respect the length passed into it. This is correct for buckets, but it means that when we get data out of the buckets, we may have to split the bucket to make sure that any copy operations are safe. We were originally doing the split at the number of characters read from the bucket, but we really want to do it at the length of the buffer. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86415 13f79535-47bb-0310-9956-ffa450edef68 --- modules/http/http_protocol.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index a3ebf727e0..e62322497e 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -2394,16 +2394,20 @@ API_EXPORT(long) ap_get_client_block(request_rec *r, char *buffer, int bufsiz) b = AP_BRIGADE_FIRST(r->connection->input_data); len_read = len_to_read; rv = b->read(b, &tempbuf, &len_read, 0); - if (len_read < b->length) { - b->split(b, len_read); + if (len_to_read < b->length) { + b->split(b, len_to_read); } - memcpy(buffer, tempbuf, len_read); + else { + len_to_read = len_read; + } + + memcpy(buffer, tempbuf, len_to_read); AP_BUCKET_REMOVE(b); b->destroy(b); - r->read_length += len_read; - r->remaining -= len_read; - return len_read; + r->read_length += len_to_read; + r->remaining -= len_to_read; + return len_to_read; } /* -- 2.40.0