fix ajp_msg_get_string buffer checks

covener · covener · commit 250fa4a42f43 · 2026-04-26T15:50:18.000Z
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933342 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
     status = ajp_msg_get_uint16(msg, &size);
     start = msg->pos;
 
-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+        return ajp_log_overflow(msg, "ajp_msg_get_string");
+    }
+
+    /* Verify that the expected null terminator is actually present */
+    if (msg->buf[start + size] != '\0') {
         return ajp_log_overflow(msg, "ajp_msg_get_string");
     }
 
