From: Stefan Eissing Date: Thu, 7 May 2026 09:33:12 +0000 (+0000) Subject: mod_proxy_http2: fix potential (harmless) buffer overrun in link mapping X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f43e250ec6cc37a2f7dd9886effa90b1e6cfb38;p=thirdparty%2Fapache%2Fhttpd.git mod_proxy_http2: fix potential (harmless) buffer overrun in link mapping git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933903 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/http2/h2_proxy_util.c b/modules/http2/h2_proxy_util.c index c0b3948c2e..ea9da14ee8 100644 --- a/modules/http2/h2_proxy_util.c +++ b/modules/http2/h2_proxy_util.c @@ -966,11 +966,8 @@ static void map_link(link_ctx *ctx) apr_cpystrn(buffer, ctx->p_server_uri, sizeof(buffer)); buffer_len = ctx->psu_len; } - if (need_len > sizeof(buffer)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, ctx->r, APLOGNO(03482) - "link_reverse_map uri too long, skipped: %s", ctx->s); - return; - } + if (need_len > sizeof(buffer)) + goto out; apr_cpystrn(buffer + buffer_len, ctx->s + ctx->link_start, link_len + 1); if (!prepend_p_server && strcmp(ctx->real_backend_uri, ctx->p_server_uri) @@ -979,6 +976,9 @@ static void map_link(link_ctx *ctx) * to work, we need to use the proxy uri */ int path_start = ctx->link_start + ctx->rbu_len; link_len -= ctx->rbu_len; + need_len = ctx->psu_len + link_len; + if (need_len > sizeof(buffer)) + goto out; memcpy(buffer, ctx->p_server_uri, ctx->psu_len); memcpy(buffer + ctx->psu_len, ctx->s + path_start, link_len); buffer_len = ctx->psu_len + link_len; @@ -999,6 +999,11 @@ static void map_link(link_ctx *ctx) } subst_str(ctx, ctx->link_start, ctx->link_end, mapped); } +out: + if (need_len > sizeof(buffer)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, ctx->r, APLOGNO(03482) + "link_reverse_map uri too long, skipped: %s", ctx->s); + } } }