From 24ca7033b78040f69ea5925e65ecebb24f4c0ec4 Mon Sep 17 00:00:00 2001
From: Madhusudan Mathihalli <madhum@apache.org>
Date: Wed, 12 May 2004 21:36:52 +0000
Subject: [PATCH] Fix SEGV in 'shmcb' session cache: When a 'read' or 'write'
 to session cache is done, we need to check the size of the data being 'read'
 or 'written' to avoid buffer over-run.

PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@103669 13f79535-47bb-0310-9956-ffa450edef68
---
 ssl_scache_shmcb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ssl_scache_shmcb.c b/ssl_scache_shmcb.c
index 5d5e75c70bb..fe8df27cf6d 100644
--- a/ssl_scache_shmcb.c
+++ b/ssl_scache_shmcb.c
@@ -840,6 +840,10 @@ static void shmcb_cyclic_ntoc_memcpy(
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -863,6 +867,10 @@ static void shmcb_cyclic_cton_memcpy(
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */
-- 
2.47.2