rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c10
httpd/httpd-2.4.63-CVE-2026-34032.patch
AlmaLinux RelEng Bot ee8c91751e import UBI httpd-2.4.63-13.el10_2.1
2026-05-27 19:21:37 -04:00

34 lines
1.1 KiB
Diff
Raw Permalink Blame History

From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:50:50 +0000
Subject: [PATCH] Merge r1933342 from trunk:
fix ajp_msg_get_string buffer checks
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 36533c59059..3d4186a521c 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
status = ajp_msg_get_uint16(msg, &size);
start = msg->pos;
- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+ if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+ return ajp_log_overflow(msg, "ajp_msg_get_string");
+ }
+
+ /* Verify that the expected null terminator is actually present */
+ if (msg->buf[start + size] != '\0') {
return ajp_log_overflow(msg, "ajp_msg_get_string");
}
Reference in New Issue View Git Blame Copy Permalink