php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51288 null pointer deref when <methodName> is not set
Submitted: 2010-03-13 03:20 UTC Modified: 2010-11-16 21:35 UTC
From: geissert@php.net Assigned: geissert (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2010-0397
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geissert@php.net
New email:
PHP Version: OS:

 

 [2010-03-13 03:20 UTC] geissert@php.net 
Description:
------------
This is CVE-2010-0397, originally reported by Auke van Slooten at http://bugs.debian.org/573573

When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server.

I've already notified security@php.net, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at:

http://git.debian.org/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD


Test script:
---------------
<?php
$method = '';
$req = '<?xml version="1.0"?><methodCall></methodCall>';
var_dump(xmlrpc_decode_request($req, $method));
var_dump($method);
echo "Done\n";
?>

Expected result:
----------------
NULL
NULL
Done

Actual result:
--------------
Segmentation fault

Patches

CVE-2009-3765 (last revision 2010-03-13 02:20 UTC by geissert@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-13 03:20 UTC] geissert@php.net 
The following patch has been added/updated:

Patch Name: CVE-2009-3765
Revision:   1268446854
URL:        http://bugs.php.net/patch-display.php?bug=51288&patch=CVE-2009-3765&revision=1268446854
 [2010-03-13 18:00 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: geissert
 [2010-03-13 18:00 UTC] felipe@php.net 
Go ahead and commit it. :)
 [2010-03-13 19:39 UTC] geissert@php.net
-Status: Assigned +Status: Closed
 [2010-03-13 19:39 UTC] geissert@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Hope I got the NEWS entry order right
 [2010-03-13 19:40 UTC] geissert@php.net 
Automatic comment from SVN on behalf of geissert
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=296152
Log: Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests (bug #51288)
 [2010-11-16 00:01 UTC] felipe@php.net
-CVE-ID: 2009-3765 +CVE-ID:
 [2010-11-16 00:02 UTC] felipe@php.net
-Package: XMLRPC-EPI related +Package: Security related -CVE-ID: +CVE-ID: 2009-3765
 [2010-11-16 00:03 UTC] felipe@php.net
-Private report: +Private report: N
 [2010-11-16 01:14 UTC] felipe@php.net
-Private report: N +Private report: Y
 [2010-11-16 01:15 UTC] felipe@php.net
-Private report: +Private report: Y
 [2010-11-16 21:28 UTC] felipe@php.net
-Private report: +Private report: N -CVE-ID: 2009-3765 +CVE-ID: 2010-0397
 [2010-11-16 21:35 UTC] felipe@php.net
-Package: Security related +Package: XMLRPC-EPI related
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 02 17:01:31 2025 UTC