Commit: 2f7bd57f930bcfdc97b7472fbe6a502cafdc5a59 Author: Jerome Loyet <f...@php.net> Sat, 26 May 2012 19:36:01 +0200 Parents: e7ff3e839b4c2a3423729b07ba1d40f45f1d2983 Branches: PHP-5.3
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=2f7bd57f930bcfdc97b7472fbe6a502cafdc5a59 Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks) Bugs: https://bugs.php.net/61218 Changed paths: M sapi/fpm/fpm/fastcgi.c Diff: diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c index 9df26f1..e2e208a 100644 --- a/sapi/fpm/fpm/fastcgi.c +++ b/sapi/fpm/fpm/fastcgi.c @@ -395,12 +395,39 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne return ret; } +static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len) +{ + int ret = 1; + int zero_found = 0; + *eff_len = 0; + for (; p != end; ++p) { + if (*p == '\0') { + zero_found = 1; + } + else { + if (zero_found) { + ret = 0; + break; + } + if (*eff_len < ((uint)-1)) { + ++*eff_len; + } + else { + ret = 0; + break; + } + } + } + return ret; +} + static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end) { char buf[128]; char *tmp = buf; size_t buf_size = sizeof(buf); int name_len, val_len; + uint eff_name_len; char *s; int ret = 1; size_t bytes_consumed; @@ -427,26 +454,35 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e break; } - if (name_len >= buf_size-1) { - if (name_len > ((uint)-1)-64) { + /* + * get the effective length of the name in case it's not a valid string + * don't do this on the value because it can be binary data + */ + if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len)){ + /* Malicious request */ + ret = 0; + break; + } + if (eff_name_len >= buf_size-1) { + if (eff_name_len > ((uint)-1)-64) { ret = 0; break; } - buf_size = name_len + 64; + buf_size = eff_name_len + 64; tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size)); if (tmp == NULL) { ret = 0; break; } } - memcpy(tmp, p, name_len); - tmp[name_len] = 0; + memcpy(tmp, p, eff_name_len); + tmp[eff_name_len] = 0; s = estrndup((char*)p + name_len, val_len); if (s == NULL) { ret = 0; break; } - zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL); + zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL); p += name_len + val_len; } if (tmp != buf && tmp != NULL) { -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php