From 82acd1a876f0bc77753c3b0bd7bee36e021bb274 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 13 May 2026 15:58:31 +0200
Subject: [PATCH] Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one
 out-of-bounds reads in AJP getter functions (CVE-2026-33857)

---
 httpd-2.4.37-CVE-2026-33857.patch | 49 +++++++++++++++++++++++++++++++
 httpd.spec                        |  5 ++++
 2 files changed, 54 insertions(+)
 create mode 100644 httpd-2.4.37-CVE-2026-33857.patch

diff --git a/httpd-2.4.37-CVE-2026-33857.patch b/httpd-2.4.37-CVE-2026-33857.patch
new file mode 100644
index 0000000..4f3f886
--- /dev/null
+++ b/httpd-2.4.37-CVE-2026-33857.patch
@@ -0,0 +1,49 @@
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index a1c009f..6443b36 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
+ {
+     apr_uint32_t value;
+ 
+-    if ((msg->pos + 3) > msg->len) {
++    if ((msg->pos + 3) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint32");
+     }
+ 
+@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint16");
+     }
+ 
+@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
+     }
+ 
+@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+  */
+ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
+     }
+ 
+@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+ 
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint8");
+     }
+ 
diff --git a/httpd.spec b/httpd.spec
index 3f94525..4c2e36b 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -303,6 +303,8 @@ Patch254: httpd-2.4.37-CVE-2025-58098.patch
 Patch255: httpd-2.4.37-CVE-2026-28780.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2465299
 Patch256: httpd-2.4.37-CVE-2026-33007.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464953
+Patch257: httpd-2.4.37-CVE-2026-33857.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -549,6 +551,7 @@ interface for storing and accessing per-user session data.
 %patch254 -p1 -b .CVE-2025-58098
 %patch255 -p1 -b .CVE-2026-28780
 %patch256 -p1 -b .CVE-2026-33007
+%patch257 -p1 -b .CVE-2026-33857
 
 %patch96 -p1 -b .r1922080
 
@@ -1065,6 +1068,8 @@ rm -rf $RPM_BUILD_ROOT
   Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
 - Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer dereference can
   cause a child process crash (CVE-2026-33007)
+- Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads
+  in AJP getter functions (CVE-2026-33857)
 
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass