From: Joe Orton <jorton@apache.org>
Date: Tue, 1 Jun 2004 20:27:11 +0000 (+0000)
Subject: * modules/ssl/ssl_scache_shmcb.c (shmcb_cyclic_ntoc_memcpy,
X-Git-Tag: 2.0.50~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e539494ac9737d5cbec1b9619e0ee23e50065c11;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_scache_shmcb.c (shmcb_cyclic_ntoc_memcpy,
shmcb_cyclic_cton_memcpy): Fix potential shmcb segfault for small
cache sizes.

PR: 27751
Submitted by: Geoff Thorpe <geoff geoffthorpe.net>
Reviewed by: Madhusudan Mathihalli, Joe Orton, Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103818 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ee4d1def143..255de92ac4b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.50
 
+  *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
+     small cache sizes.  PR 27751.  [Geoff Thorpe <geoff geoffthorpe.net>]
+
   *) Remove 2Gb log file size restriction on some 32-bit platforms.
      PR 13511.  [Joe Orton]
 
diff --git a/STATUS b/STATUS
index 854bf154e9a..3255bbef6bc 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/06/01 15:30:15 $]
+Last modified at [$Date: 2004/06/01 20:27:10 $]
 
 Release:
 
@@ -96,10 +96,6 @@ PATCHES TO BACKPORT FROM 2.1
        build/rpm/httpd.spec.in: r1.5
        +1: minfrin, nd
 
-    *) mod_ssl: Fix potential SEGV in 'shmcb' session cache.
-       modules/ssl/ssl_scache_shmcb.c: r1.26
-       +1: madhum, jorton, trawick
-
     *) mod_cgi: Handle stderr output during script execution
        http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/generators/mod_cgi.c?r1=1.160&r2=1.163
        PR: 22030, 18348
diff --git a/modules/ssl/ssl_scache_shmcb.c b/modules/ssl/ssl_scache_shmcb.c
index af1274a28e6..06c1ed0873f 100644
--- a/modules/ssl/ssl_scache_shmcb.c
+++ b/modules/ssl/ssl_scache_shmcb.c
@@ -848,6 +848,10 @@ static void shmcb_cyclic_ntoc_memcpy(
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -871,6 +875,10 @@ static void shmcb_cyclic_cton_memcpy(
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */