diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-08-14 23:19:16 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-08-14 23:19:16 -0400 |
commit | 0b49e767b906d6861f63d3764001bd73a65265dc (patch) | |
tree | 7f8bc5695f45dcc1d663367b7a851fb1b39ca254 /src | |
parent | 6524a2fb6faa2b4281c6d45bc0c15879a011a718 (diff) | |
download | lighttpd-git-0b49e767b906d6861f63d3764001bd73a65265dc.tar.gz |
[mod_ajp13] fix crash with bad response headers (fixes #3170)
fix crash with bad response headers from AJP13 backend
(thx MichaĆ Dardas)
x-ref:
"mod_ajp13 read heap buffer overflow"
https://redmine.lighttpd.net/issues/3170
Diffstat (limited to 'src')
-rw-r--r-- | src/mod_ajp13.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/mod_ajp13.c b/src/mod_ajp13.c index c5c96950..2134d093 100644 --- a/src/mod_ajp13.c +++ b/src/mod_ajp13.c @@ -812,6 +812,12 @@ ajp13_recv_parse_loop (request_st * const r, handler_ctx * const hctx) switch(ptr[4]) { case AJP13_SEND_HEADERS: if (0 == r->resp_body_started) { + if (plen < 3) { + log_error(errh, __FILE__, __LINE__, + "AJP13: headers packet received with invalid length"); + return HANDLER_FINISHED; + } + buffer *hdrs = hctx->response; if (NULL == hdrs) { hdrs = r->tmp_buf; |