Fixed bug #61218 (FPM drops connection while receiving some binary valuesin FastCGI requests)

author: Jerome Loyet <fat@php.net> 2012-05-26 19:27:02 +0200
committer: Jerome Loyet <fat@php.net> 2012-05-26 19:27:02 +0200
commit: e7ff3e839b4c2a3423729b07ba1d40f45f1d2983 (patch)
tree: 99c8cc04de518467f2a5d864f095aa490ab064e9 /sapi/fpm
parent: 0298b92b69e5637e8d151790ad6369f7980a406a (diff)
download: php-git-e7ff3e839b4c2a3423729b07ba1d40f45f1d2983.tar.gz
1 files changed, 8 insertions, 40 deletions
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index 212b6ff1db..9df26f11cd 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -395,39 +395,12 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne
 	return ret;
 }
 
-static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len)
-{
-	int ret = 1;
-	int zero_found = 0;
-        *eff_len = 0;
-	for (; p != end; ++p) {
-		if (*p == '\0') {
-			zero_found = 1;
-		}
-		else {
-			if (zero_found) {
-				ret = 0;
-				break;
-			}
-			if (*eff_len < ((uint)-1)) {
-				++*eff_len;
-			}
-			else {
-				ret = 0;
-				break;
-			}
-		}
-	}
-	return ret;
-}
-
 static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end)
 {
 	char buf[128];
 	char *tmp = buf;
 	size_t buf_size = sizeof(buf);
 	int name_len, val_len;
-	uint eff_name_len, eff_val_len;
 	char *s;
 	int ret = 1;
 	size_t bytes_consumed;
@@ -453,32 +426,27 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 			ret = 0;
 			break;
 		}
-		if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
-		    !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) {
-			/* Malicious request */
-			ret = 0;
-			break;
-		}
-		if (eff_name_len >= buf_size-1) {
-			if (eff_name_len > ((uint)-1)-64) { 
+
+		if (name_len >= buf_size-1) {
+			if (name_len > ((uint)-1)-64) { 
 				ret = 0;
 				break;
 			}
-			buf_size = eff_name_len + 64;
+			buf_size = name_len + 64;
 			tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size));
 			if (tmp == NULL) {
 				ret = 0;
 				break;
 			}
 		}
-		memcpy(tmp, p, eff_name_len);
-		tmp[eff_name_len] = 0;
-		s = estrndup((char*)p + name_len, eff_val_len);
+		memcpy(tmp, p, name_len);
+		tmp[name_len] = 0;
+		s = estrndup((char*)p + name_len, val_len);
 		if (s == NULL) {
 			ret = 0;
 			break;
 		}
-		zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL);
+		zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL);
 		p += name_len + val_len;
 	}
 	if (tmp != buf && tmp != NULL) {
author	Jerome Loyet <fat@php.net>	2012-05-26 19:27:02 +0200
committer	Jerome Loyet <fat@php.net>	2012-05-26 19:27:02 +0200
commit	e7ff3e839b4c2a3423729b07ba1d40f45f1d2983 (patch)
tree	99c8cc04de518467f2a5d864f095aa490ab064e9 /sapi/fpm
parent	0298b92b69e5637e8d151790ad6369f7980a406a (diff)
download	php-git-e7ff3e839b4c2a3423729b07ba1d40f45f1d2983.tar.gz