From 41cd334ad682676f9c1ff45518703b633e5b64e1 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 2 Jun 2012 22:28:26 +0000 Subject: Avoid buffer overflow if one protocol string is too long, but at least one is not. Also add log messages numbers and avoid useless string dup. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1345599 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'modules/ssl/ssl_engine_kernel.c') diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index cc25a6a0a0..bc9e26b92f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2189,7 +2189,7 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, /* If the protocol name is too long (the length must fit in one byte), * then log an error and skip it. */ if (length > 255) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) "SSL NPN protocol name too long (length=%u): %s", length, string); continue; @@ -2213,6 +2213,8 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, for (i = 0; i < num_protos; ++i) { const char *string = APR_ARRAY_IDX(protos, i, const char*); apr_size_t length = strlen(string); + if (length > 255) + continue; *start = (unsigned char)length; ++start; memcpy(start, string, length * sizeof(unsigned char)); -- cgit v1.2.3