php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51288 null pointer deref when <methodName> is not set
Submitted: 2010-03-13 03:20 UTC Modified: 2010-11-16 21:35 UTC
From: geissert@php.net Assigned: geissert (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2010-0397
 [2010-03-13 03:20 UTC] geissert@php.net
Description:
------------
This is CVE-2010-0397, originally reported by Auke van Slooten at http://bugs.debian.org/573573

When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server.

I've already notified security@php.net, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at:

http://git.debian.org/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD


Test script:
---------------
<?php
$method = '';
$req = '<?xml version="1.0"?><methodCall></methodCall>';
var_dump(xmlrpc_decode_request($req, $method));
var_dump($method);
echo "Done\n";
?>

Expected result:
----------------
NULL
NULL
Done

Actual result:
--------------
Segmentation fault

Patches

CVE-2009-3765 (last revision 2010-03-13 02:20 UTC by geissert@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-13 03:20 UTC] geissert@php.net
The following patch has been added/updated:

Patch Name: CVE-2009-3765
Revision:   1268446854
URL:        http://bugs.php.net/patch-display.php?bug=51288&patch=CVE-2009-3765&revision=1268446854
 [2010-03-13 18:00 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: geissert
 [2010-03-13 18:00 UTC] felipe@php.net
Go ahead and commit it. :)
 [2010-03-13 19:39 UTC] geissert@php.net
-Status: Assigned +Status: Closed
 [2010-03-13 19:39 UTC] geissert@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Hope I got the NEWS entry order right
 [2010-03-13 19:40 UTC] geissert@php.net
Automatic comment from SVN on behalf of geissert
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=296152
Log: Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests (bug #51288)
 [2010-11-16 00:01 UTC] felipe@php.net
-CVE-ID: 2009-3765 +CVE-ID:
 [2010-11-16 00:02 UTC] felipe@php.net
-Package: XMLRPC-EPI related +Package: Security related -CVE-ID: +CVE-ID: 2009-3765
 [2010-11-16 00:03 UTC] felipe@php.net
-Private report: +Private report: N
 [2010-11-16 01:14 UTC] felipe@php.net
-Private report: N +Private report: Y
 [2010-11-16 01:15 UTC] felipe@php.net
-Private report: +Private report: Y
 [2010-11-16 21:28 UTC] felipe@php.net
-Private report: +Private report: N -CVE-ID: 2009-3765 +CVE-ID: 2010-0397
 [2010-11-16 21:35 UTC] felipe@php.net
-Package: Security related +Package: XMLRPC-EPI related
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC