fix ajp_parse_data message len check

author Eric Covener <covener@apache.org>

Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)

committer Eric Covener <covener@apache.org>

Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)
author Eric Covener <covener@apache.org>
Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)
committer Eric Covener <covener@apache.org>
Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c

index 00db324e42630694c53679238a6d67292317da7c..358ee084ec26ae088f6e7b426a0c9a6f126cbd5a 100644 (file)
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -835,6 +835,11 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
       * 1                 : The last byte of this message always seems to be
       *                     0x00 and is not part of the chunk.
       */
+    if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+               "ajp_parse_data: Message too small");
+        return AJP_EBAD_HEADER;
+    }
      expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
      if (*len != expected_len) {
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)
author	Eric Covener <covener@apache.org>
	Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)
committer	Eric Covener <covener@apache.org>
	Sun, 26 Apr 2026 15:53:19 +0000 (15:53 +0000)