diff options
author | Dmitry Stogov <dmitry@php.net> | 2011-01-19 08:38:25 +0000 |
---|---|---|
committer | Dmitry Stogov <dmitry@php.net> | 2011-01-19 08:38:25 +0000 |
commit | 10cfbb814fe9b67278d70b00e0f1bb86baa63c17 (patch) | |
tree | 19c64d9356c478465b0cf436158c501bf387fa56 /sapi | |
parent | b9b1fb18278bc3a415dc5a73624b8b0e60cf5fec (diff) | |
download | php-git-10cfbb814fe9b67278d70b00e0f1bb86baa63c17.tar.gz |
Added checks for malformated FastCGI requests (Edgar Frank)
Diffstat (limited to 'sapi')
-rw-r--r-- | sapi/cgi/fastcgi.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c index c30dc62a4d..a3e0abddab 100644 --- a/sapi/cgi/fastcgi.c +++ b/sapi/cgi/fastcgi.c @@ -842,33 +842,33 @@ static inline int fcgi_make_header(fcgi_header *hdr, fcgi_request_type type, int static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end) { unsigned int name_len, val_len; - int ret = 1; while (p < end) { name_len = *p++; if (UNEXPECTED(name_len >= 128)) { + if (UNEXPECTED(p + 3 >= end)) return 0; name_len = ((name_len & 0x7f) << 24); name_len |= (*p++ << 16); name_len |= (*p++ << 8); name_len |= *p++; } + if (UNEXPECTED(p >= end)) return 0; val_len = *p++; if (UNEXPECTED(val_len >= 128)) { + if (UNEXPECTED(p + 3 >= end)) return 0; val_len = ((val_len & 0x7f) << 24); val_len |= (*p++ << 16); val_len |= (*p++ << 8); val_len |= *p++; } - if (UNEXPECTED(name_len + val_len < 0) || - UNEXPECTED(name_len + val_len > (unsigned int) (end - p))) { + if (UNEXPECTED(name_len + val_len > (unsigned int) (end - p))) { /* Malformated request */ - ret = 0; - break; + return 0; } fcgi_hash_set(&req->env, FCGI_HASH_FUNC(p, name_len), (char*)p, name_len, (char*)p + name_len, val_len); p += name_len + val_len; } - return ret; + return 1; } static int fcgi_read_request(fcgi_request *req) |