From: Nick Kew <niq@apache.org>
Date: Fri, 21 Apr 2006 18:43:36 +0000 (+0000)
Subject: Backport fix to PR#39282
X-Git-Tag: 2.2.2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d67dd0f63b966cacbe06638f8dd6ed546a55fa7;p=thirdparty%2Fapache%2Fhttpd.git

Backport fix to PR#39282


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@395985 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 34cd6ea007d..7ee7871642e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.2
 
+  *) core: Prevent reading uninitialized memory while reading a line of
+     protocol input.  PR 39282. [Davi Arnaut <davi haxent.com.br>]
+
   *) mod_dbd: Update defaults, improve error reporting.
      [Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
 
diff --git a/STATUS b/STATUS
index 27c098e1f4e..b8bbd1d5a27 100644
--- a/STATUS
+++ b/STATUS
@@ -107,23 +107,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
           Trunk version works
       +1: rpluem, jim, wrowe
 
-    * core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282.
-        Trunk version of patch:
-          http://svn.apache.org/viewcvs?rev=394070&view=rev
-        2.2.x version of patch:
-          Trunk version works
-      +1: rpluem, trawick (with rev 295381), pquerna (with rev 295381)
-      niq: the new comment isn't accurate; it applies to any brigade
-      containing only (one or more) zero-length buckets.  The existing
-      comment misled my review!  Fix the comment and you have my +1
-      for the fix.
-      jim: agrees with niq.
-      rpluem: Does http://svn.apache.org/viewcvs?rev=395381&view=rev address
-              the concerns (BTW: Same text as colm used in the backport to 2.0.x
-              (r395197))?
-              jim, does your agreement with niq also include his +1 in the case
-              the comment is fixed?
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
 
     * Backport mod_authz_dbd (it's had some testing now)
diff --git a/server/protocol.c b/server/protocol.c
index f8980eb870d..5f82d6af6ef 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -217,6 +217,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
     char *pos, *last_char = *s;
     int do_alloc = (*s == NULL), saw_eos = 0;
 
+    /*
+     * Initialize last_char as otherwise a random value will be compared
+     * against APR_ASCII_LF at the end of the loop if bb only contains
+     * zero-length buckets.
+     */
+    if (last_char) {
+        *last_char = '\0';
+    }
+
     for (;;) {
         apr_brigade_cleanup(bb);
         rv = ap_get_brigade(r->input_filters, bb, AP_MODE_GETLINE,