diff options
author | Dmitry Stogov <dmitry@php.net> | 2011-01-19 08:38:25 +0000 |
---|---|---|
committer | Dmitry Stogov <dmitry@php.net> | 2011-01-19 08:38:25 +0000 |
commit | 068a78014f678f066ba6a6b6d864a7f49530057c (patch) | |
tree | 4bc91b2a7ff89e6043fe6e5ff9a483100bd77410 /sapi/cgi | |
parent | fdbc42611c9997fdcd875c21b17c74a5b0c57362 (diff) | |
download | php-git-068a78014f678f066ba6a6b6d864a7f49530057c.tar.gz |
Added checks for malformated FastCGI requests (Edgar Frank)
Diffstat (limited to 'sapi/cgi')
-rw-r--r-- | sapi/cgi/fastcgi.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c index a5e4efa0fa..23fa043e3e 100644 --- a/sapi/cgi/fastcgi.c +++ b/sapi/cgi/fastcgi.c @@ -605,28 +605,39 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e { char buf[128]; char *tmp = buf; - int buf_size = sizeof(buf); - int name_len, val_len; + size_t buf_size = sizeof(buf); + unsigned int name_len, val_len; char *s; int ret = 1; while (p < end) { name_len = *p++; if (name_len >= 128) { + if (p + 3 >= end) { + ret = 0; + break; + } name_len = ((name_len & 0x7f) << 24); name_len |= (*p++ << 16); name_len |= (*p++ << 8); name_len |= *p++; } + if (p >= end) { + ret = 0; + break; + } val_len = *p++; if (val_len >= 128) { + if (p + 3 >= end) { + ret = 0; + break; + } val_len = ((val_len & 0x7f) << 24); val_len |= (*p++ << 16); val_len |= (*p++ << 8); val_len |= *p++; } - if (name_len + val_len < 0 || - name_len + val_len > end - p) { + if (name_len + val_len > end - p) { /* Malformated request */ ret = 0; break; |