fa34f0
diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c
fa34f0
index 4572ce1..a0cbc0f 100644
fa34f0
--- a/modules/metadata/mod_remoteip.c
fa34f0
+++ b/modules/metadata/mod_remoteip.c
fa34f0
@@ -987,15 +987,13 @@ static remoteip_parse_status_t remoteip_process_v2_header(conn_rec *c,
fa34f0
                     return HDR_ERROR;
fa34f0
 #endif
fa34f0
                 default:
fa34f0
-                    /* unsupported protocol, keep local connection address */
fa34f0
-                    return HDR_DONE;
fa34f0
+                    /* unsupported protocol */
fa34f0
+                    ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183)
fa34f0
+                                  "RemoteIPProxyProtocol: unsupported protocol %.2hx",
fa34f0
+                                  (unsigned short)hdr->v2.fam);
fa34f0
+                    return HDR_ERROR;
fa34f0
             }
fa34f0
             break;  /* we got a sockaddr now */
fa34f0
-
fa34f0
-        case 0x00: /* LOCAL command */
fa34f0
-            /* keep local connection address for LOCAL */
fa34f0
-            return HDR_DONE;
fa34f0
-
fa34f0
         default:
fa34f0
             /* not a supported command */
fa34f0
             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507)
fa34f0
@@ -1087,11 +1085,24 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f,
fa34f0
     /* try to read a header's worth of data */
fa34f0
     while (!ctx->done) {
fa34f0
         if (APR_BRIGADE_EMPTY(ctx->bb)) {
fa34f0
-            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block,
fa34f0
-                                 ctx->need - ctx->rcvd);
fa34f0
+            apr_off_t got, want = ctx->need - ctx->rcvd;
fa34f0
+
fa34f0
+            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want);
fa34f0
             if (ret != APR_SUCCESS) {
fa34f0
+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184)
fa34f0
+                              "failed reading input");
fa34f0
                 return ret;
fa34f0
             }
fa34f0
+
fa34f0
+            ret = apr_brigade_length(ctx->bb, 1, &got;;
fa34f0
+            if (ret || got > want) {
fa34f0
+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185)
fa34f0
+                              "RemoteIPProxyProtocol header too long, "
fa34f0
+                              "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT,
fa34f0
+                              got, want);
fa34f0
+                f->c->aborted = 1;
fa34f0
+                return APR_ECONNABORTED;
fa34f0
+            }
fa34f0
         }
fa34f0
         if (APR_BRIGADE_EMPTY(ctx->bb)) {
fa34f0
             return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF;
fa34f0
@@ -1139,6 +1150,13 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f,
fa34f0
                 if (ctx->rcvd >= MIN_V2_HDR_LEN) {
fa34f0
                     ctx->need = MIN_V2_HDR_LEN +
fa34f0
                         remoteip_get_v2_len((proxy_header *) ctx->header);
fa34f0
+                    if (ctx->need > sizeof(proxy_v2)) {
fa34f0
+                        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186)
fa34f0
+                                      "RemoteIPProxyProtocol protocol header length too long");
fa34f0
+                        f->c->aborted = 1;
fa34f0
+                        apr_brigade_destroy(ctx->bb);
fa34f0
+                        return APR_ECONNABORTED;
fa34f0
+                    }
fa34f0
                 }
fa34f0
                 if (ctx->rcvd >= ctx->need) {
fa34f0
                     psts = remoteip_process_v2_header(f->c, conn_conf,