#37576 [Opn->Asn]: FastCGI env (cgi vars) table overflow

Wed, 24 May 2006 13:01:41 -0700 

 ID:               37576
 Updated by:       [EMAIL PROTECTED]
 Reported By:      gacek at intertele dot pl
-Status:           Open
+Status:           Assigned
 Bug Type:         Reproducible crash
 Operating System: Linux
 PHP Version:      5.1.5CVS
-Assigned To:      
+Assigned To:      dmitry


Previous Comments:
------------------------------------------------------------------------

[2006-05-24 09:42:51] gacek at intertele dot pl

Description:
------------
To many CGI variables overflows cgi var table (128 entries) in fastcgi
mode, crashing php process.
Default env table size (127 usable entries) may be to small in
cgi+ssl+force_redirect.
Apparently it's fixed in 5.2 branch, but not in 5.1.

Expected result:
----------------
No crash, larger env table.

Actual result:
--------------
Simple fix below increases env table to 256 (255 usable entries) and
performs checks where apropriate.

diff -ru php-5.1.4/sapi/cgi/fastcgi.c
php-5.1.4-patched/sapi/cgi/fastcgi.c
--- php-5.1.4/sapi/cgi/fastcgi.c        2006-05-23 14:23:08.000000000
+0200
+++ php-5.1.4-patched/sapi/cgi/fastcgi.c        2006-05-23
08:14:25.000000000 +0200
@@ -401,7 +401,7 @@
        int name_len, val_len;
        char *s;
 
-       while (p < end) {
+       while (p < end && n < FCGI_MAX_ENV_VARS - 1) {
                name_len = *p++;
                if (name_len >= 128) {
                        name_len = ((name_len & 0x7f) << 24);
@@ -928,7 +928,9 @@
                        }
                        env++;
                }
-               *env = fcgi_strndup(var, var_len);
+               
+               if (env < req->env + sizeof(req->env) - 1)
+                       *env = fcgi_strndup(var, var_len);
        }
 }
 
diff -ru php-5.1.4/sapi/cgi/fastcgi.h
php-5.1.4-patched/sapi/cgi/fastcgi.h
--- php-5.1.4/sapi/cgi/fastcgi.h        2006-05-03 17:39:16.000000000
+0200
+++ php-5.1.4-patched/sapi/cgi/fastcgi.h        2006-05-23
07:59:36.000000000 +0200
@@ -26,6 +26,8 @@
 
 #define FCGI_KEEP_CONN  1
 
+#define FCGI_MAX_ENV_VARS 256
+
 typedef enum _fcgi_role {
        FCGI_RESPONDER  = 1,
        FCGI_AUTHORIZER = 2,
@@ -105,7 +107,7 @@
        unsigned char  out_buf[1024*8];
        unsigned char  reserved[sizeof(fcgi_end_request_rec)];
 
-       char          *env[128];
+       char          *env[FCGI_MAX_ENV_VARS];
 } fcgi_request;
 
 int fcgi_init(void);



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=37576&edit=1

Reply via email to