php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61461 Large HTTP request Content-Length header values result in failed malloc() call
Submitted: 2012-03-21 00:53 UTC Modified: 2012-03-21 01:16 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: contact at kaankivilcim dot com Assigned: iliaa (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.4.0 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: contact at kaankivilcim dot com
New email:
PHP Version: OS:

 

 [2012-03-21 00:53 UTC] contact at kaankivilcim dot com 
Description:
------------
A denial of service condition can be triggered by HTTP requests that are sent to the built-in PHP web server with a large Content-Length header value.

The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate the process with the error message "Out of memory".

1534 	static int php_cli_server_client_read_request_on_body(php_http_parser *parser, const char *at, size_t length)
1535 	{
1536 	php_cli_server_client *client = parser->data;
1537 	if (!client->request.content) {
1538 	client->request.content = pemalloc(parser->content_length, 1);
1539 	client->request.content_len = 0;
1540 	}
1541 	memmove(client->request.content + client->request.content_len, at, length);
1542 	client->request.content_len += length;
1543 	return 0;
1544 	}

Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the upper limit of an int for the platform (e.g. 32-bit) in use will trigger the condition.

Test script:
---------------
An example HTTP request that will trigger the bug is shown below.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648

A=B

Expected result:
----------------
The expected output would be a meaningful error message.

Invalid request (Requested Content-Length is larger the allowed limit of XYZ)

Actual result:
--------------
The output observed for the PHP process is shown below.

PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on 127.0.0.1:80
Document root is /tmp
Press Ctrl-C to quit.
Out of memory

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-21 01:16 UTC] iliaa@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-03-21 01:16 UTC] iliaa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2014-10-07 23:28 UTC] stas@php.net 
Automatic comment on behalf of iliaal
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9dcfb8c73fd639485182497ae5a8fc7d7ca7eb11
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2014-10-07 23:39 UTC] stas@php.net 
Automatic comment on behalf of iliaal
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9dcfb8c73fd639485182497ae5a8fc7d7ca7eb11
Log: Fixed bug #61461 (missing checks around malloc() calls).
 [2016-07-18 06:23 UTC] 2790908629 at qq dot com 
PHP Content - Length Header Remote denial of service attacks
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Feb 03 23:01:29 2025 UTC