geissert Sat, 13 Mar 2010 18:40:29 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=296152
Log: Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC requests (bug #51288) Bug: http://bugs.php.net/51288 (Closed) null pointer deref when <methodName> is not set Changed paths: U php/php-src/branches/PHP_5_2/NEWS A php/php-src/branches/PHP_5_2/ext/xmlrpc/tests/bug51288.phpt U php/php-src/branches/PHP_5_2/ext/xmlrpc/xmlrpc-epi-php.c U php/php-src/branches/PHP_5_3/NEWS A php/php-src/branches/PHP_5_3/ext/xmlrpc/tests/bug51288.phpt U php/php-src/branches/PHP_5_3/ext/xmlrpc/xmlrpc-epi-php.c A php/php-src/trunk/ext/xmlrpc/tests/bug51288.phpt U php/php-src/trunk/ext/xmlrpc/xmlrpc-epi-php.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-03-13 17:40:13 UTC (rev 296151) +++ php/php-src/branches/PHP_5_2/NEWS 2010-03-13 18:40:29 UTC (rev 296152) @@ -3,6 +3,9 @@ ?? ??? 2010, PHP 5.2.14 - Updated timezone database to version 2010.3. (Derick) +- Fixed a NULL pointer dereference when processing invalid XML-RPC + requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) + - Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam) - Fixed bug #51237 (milter SAPI crash on startup). (igmar at palsenberg dot com) - Fixed bug #51213 (pdo_mssql is trimming value of the money column). (Ilia, Added: php/php-src/branches/PHP_5_2/ext/xmlrpc/tests/bug51288.phpt =================================================================== --- php/php-src/branches/PHP_5_2/ext/xmlrpc/tests/bug51288.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/ext/xmlrpc/tests/bug51288.phpt 2010-03-13 18:40:29 UTC (rev 296152) @@ -0,0 +1,14 @@ +--TEST-- +Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) +--FILE-- +<?php +$method = NULL; +$req = '<?xml version="1.0"?><methodCall></methodCall>'; +var_dump(xmlrpc_decode_request($req, $method)); +var_dump($method); +echo "Done\n"; +?> +--EXPECT-- +NULL +NULL +Done Modified: php/php-src/branches/PHP_5_2/ext/xmlrpc/xmlrpc-epi-php.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 17:40:13 UTC (rev 296151) +++ php/php-src/branches/PHP_5_2/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 18:40:29 UTC (rev 296152) @@ -723,6 +723,7 @@ zval* retval = NULL; XMLRPC_REQUEST response; STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; + const char *method_name; opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT; /* generate XMLRPC_REQUEST from raw xml */ @@ -733,10 +734,15 @@ if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { if(method_name_out) { - zval_dtor(method_name_out); - Z_TYPE_P(method_name_out) = IS_STRING; - Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); - Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + method_name = XMLRPC_RequestGetMethodName(response); + if (method_name) { + zval_dtor(method_name_out); + Z_TYPE_P(method_name_out) = IS_STRING; + Z_STRVAL_P(method_name_out) = estrdup(method_name); + Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + } else { + retval = NULL; + } } } Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-03-13 17:40:13 UTC (rev 296151) +++ php/php-src/branches/PHP_5_3/NEWS 2010-03-13 18:40:29 UTC (rev 296152) @@ -6,6 +6,9 @@ - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Fixed a NULL pointer dereference when processing invalid XML-RPC + requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) + - Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam) - Fixed bug #51257 (CURL_VERSION_LARGEFILE incorrectly used after libcurl version 7.10.1). (aron dot ujvari at microsec dot hu) Added: php/php-src/branches/PHP_5_3/ext/xmlrpc/tests/bug51288.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/xmlrpc/tests/bug51288.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/xmlrpc/tests/bug51288.phpt 2010-03-13 18:40:29 UTC (rev 296152) @@ -0,0 +1,14 @@ +--TEST-- +Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) +--FILE-- +<?php +$method = NULL; +$req = '<?xml version="1.0"?><methodCall></methodCall>'; +var_dump(xmlrpc_decode_request($req, $method)); +var_dump($method); +echo "Done\n"; +?> +--EXPECT-- +NULL +NULL +Done Modified: php/php-src/branches/PHP_5_3/ext/xmlrpc/xmlrpc-epi-php.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 17:40:13 UTC (rev 296151) +++ php/php-src/branches/PHP_5_3/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 18:40:29 UTC (rev 296152) @@ -778,6 +778,7 @@ zval* retval = NULL; XMLRPC_REQUEST response; STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; + const char *method_name; opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT; /* generate XMLRPC_REQUEST from raw xml */ @@ -788,10 +789,15 @@ if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { if (method_name_out) { - zval_dtor(method_name_out); - Z_TYPE_P(method_name_out) = IS_STRING; - Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); - Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + method_name = XMLRPC_RequestGetMethodName(response); + if (method_name) { + zval_dtor(method_name_out); + Z_TYPE_P(method_name_out) = IS_STRING; + Z_STRVAL_P(method_name_out) = estrdup(method_name); + Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + } else { + retval = NULL; + } } } Added: php/php-src/trunk/ext/xmlrpc/tests/bug51288.phpt =================================================================== --- php/php-src/trunk/ext/xmlrpc/tests/bug51288.phpt (rev 0) +++ php/php-src/trunk/ext/xmlrpc/tests/bug51288.phpt 2010-03-13 18:40:29 UTC (rev 296152) @@ -0,0 +1,14 @@ +--TEST-- +Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request) +--FILE-- +<?php +$method = NULL; +$req = '<?xml version="1.0"?><methodCall></methodCall>'; +var_dump(xmlrpc_decode_request($req, $method)); +var_dump($method); +echo "Done\n"; +?> +--EXPECT-- +NULL +NULL +Done Modified: php/php-src/trunk/ext/xmlrpc/xmlrpc-epi-php.c =================================================================== --- php/php-src/trunk/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 17:40:13 UTC (rev 296151) +++ php/php-src/trunk/ext/xmlrpc/xmlrpc-epi-php.c 2010-03-13 18:40:29 UTC (rev 296152) @@ -784,6 +784,7 @@ zval* retval = NULL; XMLRPC_REQUEST response; STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}}; + const char *method_name; opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT; /* generate XMLRPC_REQUEST from raw xml */ @@ -794,10 +795,15 @@ if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) { if (method_name_out) { - zval_dtor(method_name_out); - Z_TYPE_P(method_name_out) = IS_STRING; - Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); - Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + method_name = XMLRPC_RequestGetMethodName(response); + if (method_name) { + zval_dtor(method_name_out); + Z_TYPE_P(method_name_out) = IS_STRING; + Z_STRVAL_P(method_name_out) = estrdup(method_name); + Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out)); + } else { + retval = NULL; + } } }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
