fix ajp_msg_get_string buffer checks

author Eric Covener <covener@apache.org>

Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)

committer Eric Covener <covener@apache.org>

Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)
author Eric Covener <covener@apache.org>
Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)
committer Eric Covener <covener@apache.org>
Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c

index 0be63218951af24002bd6d2b6f5bbd0429d4d161..e10db7a0a5392ba9be4255cf691708d9ddcc0684 100644 (file)
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
      status = ajp_msg_get_uint16(msg, &size);
      start = msg->pos;
  
-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+        return ajp_log_overflow(msg, "ajp_msg_get_string");
+    }
+
+    /* Verify that the expected null terminator is actually present */
+    if (msg->buf[start + size] != '\0') {
          return ajp_log_overflow(msg, "ajp_msg_get_string");
      }
author	Eric Covener <covener@apache.org>
	Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)
committer	Eric Covener <covener@apache.org>
	Sun, 26 Apr 2026 15:50:18 +0000 (15:50 +0000)