From: Moritz Schlarb <schlarbm@uni-mainz.de>
Date: Tue, 2 May 2023 11:44:18 +0200
Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set
Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Origin: upstream, https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Applied-Upstream: 2.4.13.2, https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a

---
 src/mod_auth_openidc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 099c716..3e9147b 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -191,7 +191,8 @@ void oidc_strip_cookies(request_rec *r) {
 		do {
 			while (cookie != NULL && *cookie == OIDC_CHAR_SPACE)
 				cookie++;
-
+			if (cookie == NULL)
+				break;
 			for (i = 0; i < strip->nelts; i++) {
 				name = ((const char**) strip->elts)[i];
 				if ((strncmp(cookie, name, strlen(name)) == 0)