archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-18 06:58:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added checks for malformated FastCGI requests (Mattias Bengtsson)

Browse source
This commit is contained in:
Dmitry Stogov 2007-09-07 08:26:47 +00:00
parent 022d4fc0b6
commit dd8c8d05e8
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
sapi/cgi/fastcgi.c
View file

@ -620,7 +620,8 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
val_len |= (*p++ << 8);
val_len |= *p++;
}
if (p + name_len + val_len > end) {
if (name_len + val_len < 0 ||
name_len + val_len > end - p) {
/* Malformated request */
ret = 0;
break;
@ -676,6 +677,10 @@ static int fcgi_read_request(fcgi_request *req)
padding = hdr.paddingLength;
}
if (len + padding > FCGI_MAX_LENGTH) {
return 0;
}
req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {
@ -712,6 +717,10 @@ static int fcgi_read_request(fcgi_request *req)
padding = hdr.paddingLength;
while (hdr.type == FCGI_PARAMS && len > 0) {
if (len + padding > FCGI_MAX_LENGTH) {
return 0;
}
if (safe_read(req, buf, len+padding) != len+padding) {
req->keep = 0;
return 0;