dmitry Wed, 19 Jan 2011 08:38:25 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=307579
Log:
Added checks for malformated FastCGI requests (Edgar Frank)
Changed paths:
U php/php-src/branches/PHP_5_3/sapi/cgi/fastcgi.c
U php/php-src/trunk/sapi/cgi/fastcgi.c
Modified: php/php-src/branches/PHP_5_3/sapi/cgi/fastcgi.c
===================================================================
--- php/php-src/branches/PHP_5_3/sapi/cgi/fastcgi.c 2011-01-19 07:27:40 UTC
(rev 307578)
+++ php/php-src/branches/PHP_5_3/sapi/cgi/fastcgi.c 2011-01-19 08:38:25 UTC
(rev 307579)
@@ -605,28 +605,39 @@
{
char buf[128];
char *tmp = buf;
- int buf_size = sizeof(buf);
- int name_len, val_len;
+ size_t buf_size = sizeof(buf);
+ unsigned int name_len, val_len;
char *s;
int ret = 1;
while (p < end) {
name_len = *p++;
if (name_len >= 128) {
+ if (p + 3 >= end) {
+ ret = 0;
+ break;
+ }
name_len = ((name_len & 0x7f) << 24);
name_len |= (*p++ << 16);
name_len |= (*p++ << 8);
name_len |= *p++;
}
+ if (p >= end) {
+ ret = 0;
+ break;
+ }
val_len = *p++;
if (val_len >= 128) {
+ if (p + 3 >= end) {
+ ret = 0;
+ break;
+ }
val_len = ((val_len & 0x7f) << 24);
val_len |= (*p++ << 16);
val_len |= (*p++ << 8);
val_len |= *p++;
}
- if (name_len + val_len < 0 ||
- name_len + val_len > end - p) {
+ if (name_len + val_len > end - p) {
/* Malformated request */
ret = 0;
break;
Modified: php/php-src/trunk/sapi/cgi/fastcgi.c
===================================================================
--- php/php-src/trunk/sapi/cgi/fastcgi.c 2011-01-19 07:27:40 UTC (rev
307578)
+++ php/php-src/trunk/sapi/cgi/fastcgi.c 2011-01-19 08:38:25 UTC (rev
307579)
@@ -842,33 +842,33 @@
static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char
*end)
{
unsigned int name_len, val_len;
- int ret = 1;
while (p < end) {
name_len = *p++;
if (UNEXPECTED(name_len >= 128)) {
+ if (UNEXPECTED(p + 3 >= end)) return 0;
name_len = ((name_len & 0x7f) << 24);
name_len |= (*p++ << 16);
name_len |= (*p++ << 8);
name_len |= *p++;
}
+ if (UNEXPECTED(p >= end)) return 0;
val_len = *p++;
if (UNEXPECTED(val_len >= 128)) {
+ if (UNEXPECTED(p + 3 >= end)) return 0;
val_len = ((val_len & 0x7f) << 24);
val_len |= (*p++ << 16);
val_len |= (*p++ << 8);
val_len |= *p++;
}
- if (UNEXPECTED(name_len + val_len < 0) ||
- UNEXPECTED(name_len + val_len > (unsigned int) (end - p))) {
+ if (UNEXPECTED(name_len + val_len > (unsigned int) (end - p))) {
/* Malformated request */
- ret = 0;
- break;
+ return 0;
}
fcgi_hash_set(&req->env, FCGI_HASH_FUNC(p, name_len), (char*)p,
name_len, (char*)p + name_len, val_len);
p += name_len + val_len;
}
- return ret;
+ return 1;
}
static int fcgi_read_request(fcgi_request *req)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
