php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61461 Large HTTP request Content-Length header values result in failed malloc() call
Submitted: 2012-03-21 00:53 UTC Modified: 2012-03-21 01:16 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: contact at kaankivilcim dot com Assigned: iliaa (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4.0 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: contact at kaankivilcim dot com
New email:
PHP Version: OS:

 

 [2012-03-21 00:53 UTC] contact at kaankivilcim dot com
Description:
------------
A denial of service condition can be triggered by HTTP requests that are sent to the built-in PHP web server with a large Content-Length header value.

The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate the process with the error message "Out of memory".

1534 	static int php_cli_server_client_read_request_on_body(php_http_parser *parser, const char *at, size_t length)
1535 	{
1536 	php_cli_server_client *client = parser->data;
1537 	if (!client->request.content) {
1538 	client->request.content = pemalloc(parser->content_length, 1);
1539 	client->request.content_len = 0;
1540 	}
1541 	memmove(client->request.content + client->request.content_len, at, length);
1542 	client->request.content_len += length;
1543 	return 0;
1544 	}

Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the upper limit of an int for the platform (e.g. 32-bit) in use will trigger the condition.

Test script:
---------------
An example HTTP request that will trigger the bug is shown below.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648

A=B

Expected result:
----------------
The expected output would be a meaningful error message.

Invalid request (Requested Content-Length is larger the allowed limit of XYZ)

Actual result:
--------------
The output observed for the PHP process is shown below.

PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on 127.0.0.1:80
Document root is /tmp
Press Ctrl-C to quit.
Out of memory

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-21 01:16 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-21 01:16 UTC] iliaa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of iliaal
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9dcfb8c73fd639485182497ae5a8fc7d7ca7eb11
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2014-10-07 23:39 UTC] stas@php.net
Automatic comment on behalf of iliaal
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9dcfb8c73fd639485182497ae5a8fc7d7ca7eb11
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2016-07-18 06:23 UTC] 2790908629 at qq dot com
PHP Content - Length Header Remote denial of service attacks
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC