From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:55:26 +0000
Subject: [PATCH] Merge r1933344 from trunk:

fix ajp_parse_data message len check
+lognos



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/proxy/ajp_header.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 00db324e426..334d0aebb12 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -835,6 +835,11 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
      * 1                 : The last byte of this message always seems to be
      *                     0x00 and is not part of the chunk.
      */
+    if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
+               "ajp_parse_data: Message too small");
+        return AJP_EBAD_HEADER;
+    }
     expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
     if (*len != expected_len) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)