From: Jeff Trawick Date: Mon, 27 Sep 2010 14:42:00 +0000 (+0000) Subject: backport trunk r683280 X-Git-Tag: 2.0.64~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=679e0edbff68110fd664ee527a3ae2ea5bd689f8;p=thirdparty%2Fapache%2Fhttpd.git backport trunk r683280 mod_ssl: Use memmove instead of memcpy for overlapping buffers Submitted by: jorton Reviewed by: sf, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001762 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e25b671b83a..96c9e1ebc7c 100644 --- a/CHANGES +++ b/CHANGES @@ -44,6 +44,8 @@ Changes with Apache 2.0.64 mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] + *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] + *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] diff --git a/STATUS b/STATUS index a82052e281e..5017f0ede72 100644 --- a/STATUS +++ b/STATUS @@ -146,11 +146,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-backport-r891282.patch +1: rjung, pgollucci (+1 2.0.64 w/ this), wrowe - * mod_ssl: Use memmove instead of memcpy for overlapping buffers - Trunk patch: http://svn.apache.org/viewvc?view=rev&revision=683280 - 2.0.x patch: Trunk patch works - +1: sf, jorton, trawick - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ please place SVN revisions from trunk here, so it is easy to identify exactly what the proposed changes are! Add all new diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index f68ca1ab911..9d4a23b0d0a 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -343,6 +343,13 @@ typedef struct { * this char_buffer api might seem silly, but we don't need to copy * any of this data and we need to remember the length. */ + +/* Copy up to INL bytes from the char_buffer BUFFER into IN. Note + * that due to the strange way this API is designed/used, the + * char_buffer object is used to cache a segment of inctx->buffer, and + * then this function called to copy (part of) that segment to the + * beginning of inctx->buffer. So the segments to copy cannot be + * presumed to be non-overlapping, and memmove must be used. */ static int char_buffer_read(char_buffer_t *buffer, char *in, int inl) { if (!buffer->length) { @@ -351,13 +358,13 @@ static int char_buffer_read(char_buffer_t *buffer, char *in, int inl) if (buffer->length > inl) { /* we have have enough to fill the caller's buffer */ - memcpy(in, buffer->value, inl); + memmove(in, buffer->value, inl); buffer->value += inl; buffer->length -= inl; } else { /* swallow remainder of the buffer */ - memcpy(in, buffer->value, buffer->length); + memmove(in, buffer->value, buffer->length); inl = buffer->length; buffer->value = NULL; buffer->length = 0;