Fix SEGV in 'shmcb' session cache:

When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/ssl_scache_shmcb.c b/ssl_scache_shmcb.c
index 5d5e75c70bba659011a93a4b12bde33d4a805e5c..fe8df27cf6d784fd6159a869cb7d42a192424955 100644 (file)
--- a/ssl_scache_shmcb.c
+++ b/ssl_scache_shmcb.c
@@ -840,6 +840,10 @@ static void shmcb_cyclic_ntoc_memcpy(
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -863,6 +867,10 @@ static void shmcb_cyclic_cton_memcpy(
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */