You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@apache.org on 2004/05/12 23:36:52 UTC
cvs commit: httpd-2.0/modules/ssl ssl_scache_shmcb.c
madhum 2004/05/12 14:36:52
Modified: . CHANGES
modules/ssl ssl_scache_shmcb.c
Log:
Fix SEGV in 'shmcb' session cache:
When a 'read' or 'write' to session cache is done, we need to check the size
of the data being 'read' or 'written' to avoid buffer over-run.
PR: 27751
Submitted by: Geoff Thorpe
Reviewed by: Madhusudan Mathihalli
Revision Changes Path
1.1477 +4 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.1476
retrieving revision 1.1477
diff -u -r1.1476 -r1.1477
--- CHANGES 10 May 2004 13:58:56 -0000 1.1476
+++ CHANGES 12 May 2004 21:36:51 -0000 1.1477
@@ -2,6 +2,10 @@
[Remove entries to the current 2.0 section below, when backported]
+ *) Fix a potential SEGV in the 'shmcb' session cache when session data
+ size is greater than the size of the cache. PR 27751
+ [Geoff Thorpe <geoff geoffthorpe.net>]
+
*) Proxy server was deleting cookies that Apache had already
assigned if the origin server had set any cookies. PR 27023.
[Jim Jagielski]
1.26 +8 -0 httpd-2.0/modules/ssl/ssl_scache_shmcb.c
Index: ssl_scache_shmcb.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_scache_shmcb.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- ssl_scache_shmcb.c 28 Feb 2004 18:06:35 -0000 1.25
+++ ssl_scache_shmcb.c 12 May 2004 21:36:52 -0000 1.26
@@ -840,6 +840,10 @@
unsigned int dest_offset,
unsigned char *src, unsigned int src_len)
{
+ /* Cover the case that src_len > buf_size */
+ if (src_len > buf_size)
+ src_len = buf_size;
+
/* Can it be copied all in one go? */
if (dest_offset + src_len < buf_size)
/* yes */
@@ -863,6 +867,10 @@
unsigned int src_offset,
unsigned int src_len)
{
+ /* Cover the case that src_len > buf_size */
+ if (src_len > buf_size)
+ src_len = buf_size;
+
/* Can it be copied all in one go? */
if (src_offset + src_len < buf_size)
/* yes */