[mod_ajp13] fix crash with bad response headers (fixes #3170)

fix crash with bad response headers from AJP13 backend (thx Michał Dardas) x-ref: "mod_ajp13 read heap buffer overflow" https://redmine.lighttpd.net/issues/3170
2022-08-14 23:19:16 -04:00 · 2022-08-14 23:19:16 -04:00 · 0b49e767b9
parent 6524a2fb6f
commit 0b49e767b9
1 changed files with 6 additions and 0 deletions
--- a/src/mod_ajp13.c
+++ b/src/mod_ajp13.c
@ -812,6 +812,12 @@ ajp13_recv_parse_loop (request_st * const r, handler_ctx * const hctx)
        switch(ptr[4]) {
        case AJP13_SEND_HEADERS:
            if (0 == r->resp_body_started) {
+                if (plen < 3) {
+                    log_error(errh, __FILE__, __LINE__,
+                      "AJP13: headers packet received with invalid length");
+                    return HANDLER_FINISHED;
+                }
+
                buffer *hdrs = hctx->response;
                if (NULL == hdrs) {
                    hdrs = r->tmp_buf;