You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@apache.org on 2004/05/12 23:36:52 UTC

cvs commit: httpd-2.0/modules/ssl ssl_scache_shmcb.c

madhum      2004/05/12 14:36:52

  Modified:    .        CHANGES
               modules/ssl ssl_scache_shmcb.c
  Log:
  Fix SEGV in 'shmcb' session cache:
  When a 'read' or 'write' to session cache is done, we need to check the size
  of the data being 'read' or 'written' to avoid buffer over-run.
  
  PR: 27751
  Submitted by: Geoff Thorpe
  Reviewed by: Madhusudan Mathihalli
  
  Revision  Changes    Path
  1.1477    +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1476
  retrieving revision 1.1477
  diff -u -r1.1476 -r1.1477
  --- CHANGES	10 May 2004 13:58:56 -0000	1.1476
  +++ CHANGES	12 May 2004 21:36:51 -0000	1.1477
  @@ -2,6 +2,10 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) Fix a potential SEGV in the 'shmcb' session cache when session data
  +     size is greater than the size of the cache. PR 27751
  +     [Geoff Thorpe <geoff geoffthorpe.net>]
  +
     *) Proxy server was deleting cookies that Apache had already
        assigned if the origin server had set any cookies. PR 27023.
        [Jim Jagielski]
  
  
  
  1.26      +8 -0      httpd-2.0/modules/ssl/ssl_scache_shmcb.c
  
  Index: ssl_scache_shmcb.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_scache_shmcb.c,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -r1.25 -r1.26
  --- ssl_scache_shmcb.c	28 Feb 2004 18:06:35 -0000	1.25
  +++ ssl_scache_shmcb.c	12 May 2004 21:36:52 -0000	1.26
  @@ -840,6 +840,10 @@
       unsigned int dest_offset,
       unsigned char *src, unsigned int src_len)
   {
  +    /* Cover the case that src_len > buf_size */
  +    if (src_len > buf_size)
  +        src_len = buf_size;
  +
       /* Can it be copied all in one go? */
       if (dest_offset + src_len < buf_size)
           /* yes */
  @@ -863,6 +867,10 @@
       unsigned int src_offset,
       unsigned int src_len)
   {
  +    /* Cover the case that src_len > buf_size */
  +    if (src_len > buf_size)
  +        src_len = buf_size;
  +
       /* Can it be copied all in one go? */
       if (src_offset + src_len < buf_size)
           /* yes */