[mod_ajp13] fix crash with bad response headers (fixes #3170)

fix crash with bad response headers from AJP13 backend (thx Michał Dardas) x-ref: "mod_ajp13 read heap buffer overflow" https://redmine.lighttpd.net/issues/3170
author: Glenn Strauss <gstrauss@gluelogic.com> 2022-08-14 23:19:16 -0400
committer: Glenn Strauss <gstrauss@gluelogic.com> 2022-08-14 23:19:16 -0400
commit: 0b49e767b906d6861f63d3764001bd73a65265dc (patch)
tree: 7f8bc5695f45dcc1d663367b7a851fb1b39ca254 /src
parent: 6524a2fb6faa2b4281c6d45bc0c15879a011a718 (diff)
download: lighttpd-git-0b49e767b906d6861f63d3764001bd73a65265dc.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/mod_ajp13.c b/src/mod_ajp13.c
index c5c96950..2134d093 100644
--- a/src/mod_ajp13.c
+++ b/src/mod_ajp13.c
@@ -812,6 +812,12 @@ ajp13_recv_parse_loop (request_st * const r, handler_ctx * const hctx)
         switch(ptr[4]) {
         case AJP13_SEND_HEADERS:
             if (0 == r->resp_body_started) {
+                if (plen < 3) {
+                    log_error(errh, __FILE__, __LINE__,
+                      "AJP13: headers packet received with invalid length");
+                    return HANDLER_FINISHED;
+                }
+
                 buffer *hdrs = hctx->response;
                 if (NULL == hdrs) {
                     hdrs = r->tmp_buf;
author	Glenn Strauss <gstrauss@gluelogic.com>	2022-08-14 23:19:16 -0400
committer	Glenn Strauss <gstrauss@gluelogic.com>	2022-08-14 23:19:16 -0400
commit	0b49e767b906d6861f63d3764001bd73a65265dc (patch)
tree	7f8bc5695f45dcc1d663367b7a851fb1b39ca254 /src
parent	6524a2fb6faa2b4281c6d45bc0c15879a011a718 (diff)
download	lighttpd-git-0b49e767b906d6861f63d3764001bd73a65265dc.tar.gz