dmitry Fri Sep 7 08:26:48 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/sapi/cgi fastcgi.c
Log:
Added checks for malformated FastCGI requests (Mattias Bengtsson)
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.4.2.13.2.27&r2=1.4.2.13.2.28&diff_format=u
Index: php-src/sapi/cgi/fastcgi.c
diff -u php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.27
php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.28
--- php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.27 Mon Jul 9 11:48:39 2007
+++ php-src/sapi/cgi/fastcgi.c Fri Sep 7 08:26:47 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: fastcgi.c,v 1.4.2.13.2.27 2007/07/09 11:48:39 dmitry Exp $ */
+/* $Id: fastcgi.c,v 1.4.2.13.2.28 2007/09/07 08:26:47 dmitry Exp $ */
#include "php.h"
#include "fastcgi.h"
@@ -620,7 +620,8 @@
val_len |= (*p++ << 8);
val_len |= *p++;
}
- if (p + name_len + val_len > end) {
+ if (name_len + val_len < 0 ||
+ name_len + val_len > end - p) {
/* Malformated request */
ret = 0;
break;
@@ -676,6 +677,10 @@
padding = hdr.paddingLength;
}
+ if (len + padding > FCGI_MAX_LENGTH) {
+ return 0;
+ }
+
req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
if (hdr.type == FCGI_BEGIN_REQUEST && len ==
sizeof(fcgi_begin_request)) {
@@ -712,6 +717,10 @@
padding = hdr.paddingLength;
while (hdr.type == FCGI_PARAMS && len > 0) {
+ if (len + padding > FCGI_MAX_LENGTH) {
+ return 0;
+ }
+
if (safe_read(req, buf, len+padding) != len+padding) {
req->keep = 0;
return 0;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
