[PHP-BUG] Bug #61807 [NEW]: Buffer Overflow in apache_request_headers

nyt-php at countercultured dot net Sat, 21 Apr 2012 18:12:27 -0700

From:             
Operating system: any
PHP version:      5.4.1RC2
Package:          CGI/CLI related
Bug Type:         Bug
Bug description:Buffer Overflow in apache_request_headers


Description:
------------
Resubmitting since the patch didn't include last time, and I cannot view or
edit my own security bug.  Makes sense :(


apache_request_headers has a loop starting at line 1617 which copies the
name of an environment variable while fixing case and converting '_' to
'-'.  This loop is only supposed to copy the variable name (eg: Cookie from
HTTP_COOKIE), however it continues until the end of the entire environment
variable.  The problem is it is copying it into buffer t, which is a
pointer to buf[128].  If the string being copied is longer than 128 bytes,
it will overflow the buffer.

This seems to be present in 5.4.x


Patch in case it doesn't include again:

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 4643882..ef876fb 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1614,7 +1614,9 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */
                                var = q = t;
                                *q++ = *p++;
                                while (*p) {
-                                       if (*p == '_') {
+                                       if (*p == '=') {
+                                               break;
+                                       } else if (*p == '_') {
                                                *q++ = '-';
                                                p++;
                                                if (*p) {



Test script:
---------------
Running roundcube with php 5.4 will trigger this bug due to the large
amount of cookie data and other stack conditions.  This is where I
discovered it.  The included patch fixes this bug.

Expected result:
----------------
PHP should function normally

Actual result:
--------------
PHP seg faults in zif_apache_request_headers 


#5  0x000002dac7160040 in __stack_chk_fail () at stack_chk_fail.c:29
No locals.
#6  0x000000000074db0e in zif_apache_request_headers (ht=0,
return_value=0x2dac596e180,
    return_value_ptr=0x3802d971bf0, this_ptr=0x6f72203b33396636,
    return_value_used=1685382481) at
/tmp/buildd/php5-5.4.1~rc1/sapi/cgi/cgi_main.c:1647
        buf =
"\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060)
gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter"
        env = 0x3802d974638
        q = 0x3802d971bf0
"undcube-sessauth=sdcc36a0f8bd6c79753726fdf6b6818a276a2581a"
        var = 0x6f72203b33396636 <Address 0x6f72203b33396636 out of
bounds>
        alloc_size = 128
        buf =
"\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060)
gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter"
        buf =
"\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060)
gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter"
#7  0x6f72203b33396636 in ?? ()
No symbol table info available.
#8  0x2d65627563646e75 in ?? ()
No symbol table info available.

-- 
Edit bug report at https://bugs.php.net/bug.php?id=61807&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=61807&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=61807&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=61807&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=61807&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=61807&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=61807&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=61807&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=61807&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=61807&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=61807&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=61807&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=61807&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=61807&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=61807&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=61807&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=61807&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=61807&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=61807&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=61807&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=61807&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=61807&r=mysqlcfg

[PHP-BUG] Bug #61807 [NEW]: Buffer Overflow in apache_request_headers

Reply via email to