From: Madhusudan Mathihalli <madhum@apache.org>
Date: Wed, 12 May 2004 21:36:52 +0000 (+0000)
Subject: Fix SEGV in 'shmcb' session cache:
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24ca7033b78040f69ea5925e65ecebb24f4c0ec4;p=thirdparty%2Fapache%2Fhttpd.git

Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/ssl_scache_shmcb.c b/ssl_scache_shmcb.c
index 5d5e75c70bb..fe8df27cf6d 100644
--- a/ssl_scache_shmcb.c
+++ b/ssl_scache_shmcb.c
@@ -840,6 +840,10 @@ static void shmcb_cyclic_ntoc_memcpy(
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -863,6 +867,10 @@ static void shmcb_cyclic_cton_memcpy(
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */