mirror of
https://github.com/php/php-src.git
synced 2025-08-18 06:58:55 +02:00
Added checks for malformated FastCGI requests (Mattias Bengtsson)
This commit is contained in:
Dmitry Stogov
parent
022d4fc0b6
commit
dd8c8d05e8
1 changed files with 10 additions and 1 deletions
|
|
@ -620,7 +620,8 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
|
||||||
val_len |= (*p++ << 8);
|
val_len |= (*p++ << 8);
|
||||||
val_len |= *p++;
|
val_len |= *p++;
|
||||||
}
|
}
|
||||||
if (p + name_len + val_len > end) {
|
if (name_len + val_len < 0 ||
|
||||||
|
name_len + val_len > end - p) {
|
||||||
/* Malformated request */
|
/* Malformated request */
|
||||||
ret = 0;
|
ret = 0;
|
||||||
break;
|
break;
|
||||||
|
|
@ -676,6 +677,10 @@ static int fcgi_read_request(fcgi_request *req)
|
||||||
padding = hdr.paddingLength;
|
padding = hdr.paddingLength;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (len + padding > FCGI_MAX_LENGTH) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
|
req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
|
||||||
|
|
||||||
if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {
|
if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {
|
||||||
|
|
@ -712,6 +717,10 @@ static int fcgi_read_request(fcgi_request *req)
|
||||||
padding = hdr.paddingLength;
|
padding = hdr.paddingLength;
|
||||||
|
|
||||||
while (hdr.type == FCGI_PARAMS && len > 0) {
|
while (hdr.type == FCGI_PARAMS && len > 0) {
|
||||||
|
if (len + padding > FCGI_MAX_LENGTH) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (safe_read(req, buf, len+padding) != len+padding) {
|
if (safe_read(req, buf, len+padding) != len+padding) {
|
||||||
req->keep = 0;
|
req->keep = 0;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue