Return-Path: 
 <apache-cvs-return-3005-apmail-apache-cvs-archive=apache.org@apache.org>
Delivered-To: apmail-apache-cvs-archive@apache.org
Received: (qmail 56448 invoked by uid 500); 6 Oct 2000 16:41:33 -0000
Mailing-List: contact apache-cvs-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: new-httpd@apache.org
list-help: <mailto:apache-cvs-help@apache.org>
list-unsubscribe: <mailto:apache-cvs-unsubscribe@apache.org>
list-post: <mailto:apache-cvs@apache.org>
Delivered-To: mailing list apache-cvs@apache.org
Received: (qmail 56428 invoked by uid 500); 6 Oct 2000 16:41:31 -0000
Delivered-To: apmail-apache-2.0-cvs@apache.org
Date: 6 Oct 2000 16:41:31 -0000
Message-ID: <20001006164131.56423.qmail@locus.apache.org>
From: rbb@locus.apache.org
To: apache-2.0-cvs@apache.org
Subject: cvs commit: apache-2.0/src/main http_protocol.c

rbb         00/10/06 09:41:31

  Modified:    src/main http_protocol.c
  Log:
  Fix a potential memory overrun error in ap_get_client_block.  The problem
  is that the bucket code does not respect the length passed into it.  This
  is correct for buckets, but it means that when we get data out of the
  buckets, we may have to split the bucket to make sure that any copy
  operations are safe.  We were originally doing the split at the number of
  characters read from the bucket, but we really want to do it at the length
  of the buffer.
  
  Revision  Changes    Path
  1.147     +10 -6     apache-2.0/src/main/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/main/http_protocol.c,v
  retrieving revision 1.146
  retrieving revision 1.147
  diff -u -r1.146 -r1.147
  --- http_protocol.c	2000/10/06 06:07:07	1.146
  +++ http_protocol.c	2000/10/06 16:41:30	1.147
  @@ -2394,16 +2394,20 @@
           b = AP_BRIGADE_FIRST(r->connection->input_data);
           len_read = len_to_read;
           rv = b->read(b, &tempbuf, &len_read, 0);
  -        if (len_read < b->length) {
  -            b->split(b, len_read);
  +        if (len_to_read < b->length) {
  +            b->split(b, len_to_read);
           }
  -        memcpy(buffer, tempbuf, len_read);
  +        else {
  +            len_to_read = len_read;
  +        }
  +
  +        memcpy(buffer, tempbuf, len_to_read);
           AP_BUCKET_REMOVE(b);
           b->destroy(b);
   
  -        r->read_length += len_read;
  -        r->remaining -= len_read;
  -        return len_read;
  +        r->read_length += len_to_read;
  +        r->remaining -= len_to_read;
  +        return len_to_read;
       }
   
       /*