Added checks for malformated FastCGI requests (Mattias Bengtsson)

author: Dmitry Stogov <dmitry@php.net> 2007-09-07 08:26:47 +0000
committer: Dmitry Stogov <dmitry@php.net> 2007-09-07 08:26:47 +0000
commit: dd8c8d05e8d5a36b92bd74c4480ae3b45053feed (patch)
tree: 8b29ff9b80b25099064462ab65389ca80bf1a671 /sapi/cgi
parent: 022d4fc0b63ad64a18332ac736de50a6f067d5fd (diff)
download: php-git-dd8c8d05e8d5a36b92bd74c4480ae3b45053feed.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 16059e6156..b3eacc2676 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -620,7 +620,8 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 			val_len |= (*p++ << 8);
 			val_len |= *p++;
 		}
-		if (p + name_len + val_len > end) {
+		if (name_len + val_len < 0 ||
+		    name_len + val_len > end - p) {
 			/* Malformated request */
 			ret = 0;
 			break;
@@ -676,6 +677,10 @@ static int fcgi_read_request(fcgi_request *req)
 		padding = hdr.paddingLength;
 	}
 
+	if (len + padding > FCGI_MAX_LENGTH) {
+		return 0;
+	}
+
 	req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
 
 	if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {
@@ -712,6 +717,10 @@ static int fcgi_read_request(fcgi_request *req)
 		padding = hdr.paddingLength;
 
 		while (hdr.type == FCGI_PARAMS && len > 0) {
+			if (len + padding > FCGI_MAX_LENGTH) {
+				return 0;
+			}
+
 			if (safe_read(req, buf, len+padding) != len+padding) {
 				req->keep = 0;
 				return 0;
author	Dmitry Stogov <dmitry@php.net>	2007-09-07 08:26:47 +0000
committer	Dmitry Stogov <dmitry@php.net>	2007-09-07 08:26:47 +0000
commit	dd8c8d05e8d5a36b92bd74c4480ae3b45053feed (patch)
tree	8b29ff9b80b25099064462ab65389ca80bf1a671 /sapi/cgi
parent	022d4fc0b63ad64a18332ac736de50a6f067d5fd (diff)
download	php-git-dd8c8d05e8d5a36b92bd74c4480ae3b45053feed.tar.gz