From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:50:18 +0000 (+0000)
Subject: fix ajp_msg_get_string buffer checks
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=250fa4a42f43a6ddf99861dfa910971eff69eced;p=thirdparty%2Fapache%2Fhttpd.git

fix ajp_msg_get_string buffer checks


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933342 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 0be6321895..e10db7a0a5 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
     status = ajp_msg_get_uint16(msg, &size);
     start = msg->pos;
 
-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+        return ajp_log_overflow(msg, "ajp_msg_get_string");
+    }
+
+    /* Verify that the expected null terminator is actually present */
+    if (msg->buf[start + size] != '\0') {
         return ajp_log_overflow(msg, "ajp_msg_get_string");
     }