php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22657 Weak parsing in rfc1867.c
Submitted: 2003-03-12 03:44 UTC Modified: 2003-03-13 02:41 UTC
From: vesely at tana dot it Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.3.0 OS: Any
Private report: No CVE-ID: None
 [2003-03-12 03:44 UTC] vesely at tana dot it
Hi,
watch out rfc1867.c around line 342, in function
next_line() there is (was?) the following code:

	if (ptr) {
		/* ... */	
	} else {	
		/* ... */

		line[self->bufsize] = 0;
		self->buf_begin = ptr;    /* <=== */
		self->bytes_in_buffer = 0;
	}

ptr is obviously NULL, buf_begin should never be NULL
or the program may crash. So this is a potential
vulnerability for DOS attackers who submit long lines.

Since you're there, would you mind to check why at line
721, in the rfc1867_post_handler function, there is

		boundary_end = strchr(boundary, ',');

Shouldn't it be ';' (semicolon) rather than ',' (comma)?
(Just wandering)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-12 16:06 UTC] sesser@php.net
buf_begin can be NULL, no DOS possible -> BOGUS1

searching for ',' is correct this works around a bug
in some IE version -> BOGUS2
 [2003-03-13 01:13 UTC] vesely at tana dot it
> buf_begin can be NULL, no DOS possible -> BOGUS1

it is not initialized to NULL, it is never tested for not
being NULL, and around line 232, function fill_buffer

  if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
    memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
        }

should grant the job will be done. Why do you say
it can be NULL? If I have some more time next week
I'll try and prepare a proof of concept.

>  searching for ',' is correct this works around a bug
>  in some IE version -> BOGUS2

Ha ha! I should have guessed it... :-)
 [2003-03-13 02:41 UTC] sesser@php.net
It must not be tested for not being NULL because
it is only NULL while self->bytes_in_buffer is
0. There will be no action on it until bytes_in_buffer
becomes > 0. This only happens after the buf begin
is set to the buffer again...

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 12:01:30 2024 UTC