From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:47:51 +0000 (+0000)
Subject: fix length checks in  AJP msg_get functions
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=17e874e2781c1bbbeb2213bd580d371a1091085b;p=thirdparty%2Fapache%2Fhttpd.git

fix length checks in  AJP msg_get functions


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933340 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index b5b3f2c07b..0be6321895 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
 {
     apr_uint32_t value;
 
-    if ((msg->pos + 3) > msg->len) {
+    if ((msg->pos + 3) >= msg->len) {
         return ajp_log_overflow(msg, "ajp_msg_get_uint32");
     }
 
@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
 {
     apr_uint16_t value;
 
-    if ((msg->pos + 1) > msg->len) {
+    if ((msg->pos + 1) >= msg->len) {
         return ajp_log_overflow(msg, "ajp_msg_get_uint16");
     }
 
@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
 {
     apr_uint16_t value;
 
-    if ((msg->pos + 1) > msg->len) {
+    if ((msg->pos + 1) >= msg->len) {
         return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
     }
 
@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
  */
 apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
 {
-    if (msg->pos > msg->len) {
+    if (msg->pos >= msg->len) {
         return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
     }
 
@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
 apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
 {
 
-    if (msg->pos > msg->len) {
+    if (msg->pos >= msg->len) {
         return ajp_log_overflow(msg, "ajp_msg_get_uint8");
     }