From 448e973dfa54af5fc6bcd7330d973c9e13d2ea15 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Wed, 13 May 2009 18:58:28 +0000 Subject: [PATCH] Bounds check... id can't be >= number of slots (0 indexing) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@774491 13f79535-47bb-0310-9956-ffa450edef68 --- modules/mem/mod_sharedmem.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/mem/mod_sharedmem.c b/modules/mem/mod_sharedmem.c index 57713e0f93..a82dfcd64a 100644 --- a/modules/mem/mod_sharedmem.c +++ b/modules/mem/mod_sharedmem.c @@ -433,7 +433,7 @@ static apr_status_t slotmem_mem(ap_slotmem_t *slot, unsigned int id, void **mem) if (!slot) { return APR_ENOSHMAVAIL; } - if (id < 0 || id > slot->num) { + if (id < 0 || id >= slot->num) { return APR_ENOSHMAVAIL; } @@ -457,8 +457,8 @@ static apr_status_t slotmem_get(ap_slotmem_t *slot, unsigned int id, unsigned ch } inuse = (slot->base + (slot->size * slot->num)); - if (!inuse[id]) { - return APR_ENOSHMAVAIL; + if (id >= slot->num || !inuse[id] ) { + return APR_NOTFOUND; } ret = slotmem_mem(slot, id, &ptr); if (ret != APR_SUCCESS) { @@ -480,8 +480,8 @@ static apr_status_t slotmem_put(ap_slotmem_t *slot, unsigned int id, unsigned ch } inuse = (slot->base + (slot->size * slot->num)); - if (!inuse[id]) { - return APR_ENOSHMAVAIL; + if (id >= slot->num || !inuse[id] ) { + return APR_NOTFOUND; } ret = slotmem_mem(slot, id, &ptr); if (ret != APR_SUCCESS) { @@ -541,9 +541,9 @@ static apr_status_t slotmem_return(ap_slotmem_t *slot, unsigned int id) inuse = (slot->base + (slot->size * slot->num)); SLOTMEM_LOCK(slot->smutex); - if (!inuse[id]) { + if (id >= slot->num || !inuse[id] ) { SLOTMEM_UNLOCK(slot->smutex); - return APR_ENOSHMAVAIL; + return APR_NOTFOUND; } inuse[id] = 0; SLOTMEM_UNLOCK(slot->smutex); -- 2.40.0