httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c
Date Tue, 17 Aug 2004 16:31:24 GMT
jorton      2004/08/17 09:31:23

  Modified:    .        CHANGES
               modules/ssl ssl_engine_io.c
  Log:
  * modules/ssl/ssl_engine_io.c (ssl_io_input_read): Fix rollback
  handling for AP_MODE_SPECULATIVE.
  
  PR: 30134
  
  Revision  Changes    Path
  1.1554    +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1553
  retrieving revision 1.1554
  diff -d -w -u -r1.1553 -r1.1554
  --- CHANGES	17 Aug 2004 13:47:04 -0000	1.1553
  +++ CHANGES	17 Aug 2004 16:31:22 -0000	1.1554
  @@ -2,6 +2,11 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
  +     mod_ssl: Fix a segfault in the SSL input filter which could be
  +     triggered if using "speculative" mode, for instance by a 
  +     proxy request to an SSL server.  PR 30134  [Joe Orton]
  +
     *) Add test_config hook, run only if httpd is invoked using -t.
        [Joe Orton]
   
  
  
  
  1.126     +6 -2      httpd-2.0/modules/ssl/ssl_engine_io.c
  
  Index: ssl_engine_io.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_io.c,v
  retrieving revision 1.125
  retrieving revision 1.126
  diff -d -w -u -r1.125 -r1.126
  --- ssl_engine_io.c	11 Aug 2004 13:19:24 -0000	1.125
  +++ ssl_engine_io.c	17 Aug 2004 16:31:23 -0000	1.126
  @@ -564,8 +564,12 @@
           *len = bytes;
           if (inctx->mode == AP_MODE_SPECULATIVE) {
               /* We want to rollback this read. */
  +            if (inctx->cbuf.length > 0) {
               inctx->cbuf.value -= bytes;
               inctx->cbuf.length += bytes;
  +            } else {
  +                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
  +            }
               return APR_SUCCESS;
           }
           /* This could probably be *len == wanted, but be safe from stray
  
  
  

Mime
View raw message