[PHP-CVS] cvs: php-src /sapi/cgi fastcgi.c

Mon, 16 Oct 2006 03:47:32 -0700 

dmitry          Mon Oct 16 10:47:23 2006 UTC

  Modified files:              
    /php-src/sapi/cgi   fastcgi.c 
  Log:
  Fixed bug #39020 (PHP in FastCGI server mode crashes)
  
  
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.24&r2=1.25&diff_format=u
Index: php-src/sapi/cgi/fastcgi.c
diff -u php-src/sapi/cgi/fastcgi.c:1.24 php-src/sapi/cgi/fastcgi.c:1.25
--- php-src/sapi/cgi/fastcgi.c:1.24     Wed Sep 13 13:03:14 2006
+++ php-src/sapi/cgi/fastcgi.c  Mon Oct 16 10:47:23 2006
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: fastcgi.c,v 1.24 2006/09/13 13:03:14 dmitry Exp $ */
+/* $Id: fastcgi.c,v 1.25 2006/10/16 10:47:23 dmitry Exp $ */
 
 #include "php.h"
 #include "fastcgi.h"
@@ -390,13 +390,14 @@
        return pad;
 }
 
-static void fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char 
*end)
+static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char 
*end)
 {
        char buf[128];
        char *tmp = buf;
        int buf_size = sizeof(buf);
        int name_len, val_len;
        char *s;
+       int ret = 1;
 
        while (p < end) {
                name_len = *p++;
@@ -413,6 +414,11 @@
                        val_len |= (*p++ << 8);
                        val_len |= *p++;
                }
+               if (p + name_len + val_len > end) {
+                       /* Malformated request */
+                       ret = 0;
+                       break;
+               }
                if (name_len+1 >= buf_size) {
                        buf_size = name_len + 64;
                        tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, 
buf_size));
@@ -426,6 +432,7 @@
        if (tmp != buf && tmp != NULL) {
                efree(tmp);
        }
+       return ret;
 }
 
 static void fcgi_free_var(char **s)
@@ -503,7 +510,11 @@
                                req->keep = 0;
                                return 0;
                        }
-                       fcgi_get_params(req, buf, buf+len);
+
+                       if (!fcgi_get_params(req, buf, buf+len)) {
+                               req->keep = 0;
+                               return 0;
+                       }
 
                        if (safe_read(req, &hdr, sizeof(fcgi_header)) != 
sizeof(fcgi_header) ||
                            hdr.version < FCGI_VERSION_1) {
@@ -518,9 +529,14 @@
                unsigned char *p = buf + sizeof(fcgi_header);
 
                if (safe_read(req, buf, len+padding) != len+padding) {
+                       req->keep = 0;
+                       return 0;
+               }
+
+               if (!fcgi_get_params(req, buf, buf+len)) {
+                       req->keep = 0;
                        return 0;
                }
-               fcgi_get_params(req, buf, buf+len);
 
                for (j = 0; j < 
sizeof(fcgi_mgmt_vars)/sizeof(fcgi_mgmt_vars[0]); j++) {
                        if (zend_hash_exists(&req->env, fcgi_mgmt_vars[j].name, 
fcgi_mgmt_vars[j].name_len+1) == 0) {
@@ -531,6 +547,7 @@
                len = p - buf - sizeof(fcgi_header);
                len += fcgi_make_header((fcgi_header*)buf, 
FCGI_GET_VALUES_RESULT, 0, len);
                if (safe_write(req, buf, sizeof(fcgi_header)+len) != 
(int)sizeof(fcgi_header)+len) {
+                       req->keep = 0;
                        return 0;
                }
                return 0;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to