diff options
| author | George Wang <gwang@php.net> | 2015-12-09 00:06:49 -0500 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2015-12-12 15:37:50 +0100 |
| commit | 6e485973755e42f15b9576d983de2ba5c80eeffb (patch) | |
| tree | 9e4e56999f346bb0e1feaf63af61d2ffc0e664cd | |
| parent | 9fab0c8253187bef184d1653e15a4069ed656fd3 (diff) | |
| download | php-git-6e485973755e42f15b9576d983de2ba5c80eeffb.tar.gz | |
Add sanitizing checks for request data.
| -rw-r--r-- | sapi/litespeed/lsapilib.c | 56 |
1 files changed, 54 insertions, 2 deletions
diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c index 06437c21c0..6abaf0d018 100644 --- a/sapi/litespeed/lsapilib.c +++ b/sapi/litespeed/lsapilib.c @@ -437,7 +437,7 @@ static int allocateEnvList( struct LSAPI_key_value_pair ** pEnvList, int *curSize, int newSize ) { struct LSAPI_key_value_pair * pBuf; - if ( *curSize >= newSize ) + if ( *curSize >= newSize ) return 0; if ( newSize > 8192 ) return -1; @@ -559,6 +559,40 @@ static void fixHeaderIndexEndian( LSAPI_Request * pReq ) } } + +static int validateHeaders( LSAPI_Request * pReq ) +{ + int totalLen = pReq->m_pHeader->m_httpHeaderLen; + int i; + for(i = 0; i < H_TRANSFER_ENCODING; ++i) + { + if ( pReq->m_pHeaderIndex->m_headerOff[i] ) + { + if (pReq->m_pHeaderIndex->m_headerOff[i] > totalLen + || pReq->m_pHeaderIndex->m_headerLen[i] + + pReq->m_pHeaderIndex->m_headerOff[i] > totalLen) + return -1; + } + } + if (pReq->m_pHeader->m_cntUnknownHeaders > 0) + { + struct lsapi_header_offset * pCur, *pEnd; + pCur = pReq->m_pUnknownHeader; + pEnd = pCur + pReq->m_pHeader->m_cntUnknownHeaders; + while( pCur < pEnd ) + { + if (pCur->nameOff > totalLen + || pCur->nameOff + pCur->nameLen > totalLen + || pCur->valueOff > totalLen + || pCur->valueOff + pCur->valueLen > totalLen) + return -1; + ++pCur; + } + } + return 0; +} + + static uid_t s_uid = 0; static uid_t s_defaultUid; //web server need set this static gid_t s_defaultGid; @@ -999,7 +1033,18 @@ static int parseRequest( LSAPI_Request * pReq, int totalLen ) if ( parseEnv( pReq->m_pEnvList, pReq->m_pHeader->m_cntEnv, &pBegin, pEnd ) == -1 ) return -1; - + if (pReq->m_pHeader->m_scriptFileOff < 0 + || pReq->m_pHeader->m_scriptFileOff >= totalLen + || pReq->m_pHeader->m_scriptNameOff < 0 + || pReq->m_pHeader->m_scriptNameOff >= totalLen + || pReq->m_pHeader->m_queryStringOff < 0 + || pReq->m_pHeader->m_queryStringOff >= totalLen + || pReq->m_pHeader->m_requestMethodOff < 0 + || pReq->m_pHeader->m_requestMethodOff >= totalLen) + { + fprintf(stderr, "%d: bad request header - ERROR#1\n", getpid()); + return -1; + } pReq->m_pScriptFile = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptFileOff; pReq->m_pScriptName = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptNameOff; pReq->m_pQueryString = pReq->m_pReqBuf + pReq->m_pHeader->m_queryStringOff; @@ -1025,6 +1070,13 @@ static int parseRequest( LSAPI_Request * pReq, int totalLen ) { fixHeaderIndexEndian( pReq ); } + + if (validateHeaders(pReq) == -1) + { + fprintf(stderr, "%d: bad request header - ERROR#2\n", getpid()); + return -1; + } + pReq->m_reqBodyLen = pReq->m_pHeader->m_reqBodyLen; if ( pReq->m_reqBodyLen == -2 ) { |