PHP :: Bug #22657 :: Weak parsing in rfc1867.c

Bug #22657	Weak parsing in rfc1867.c
Submitted:	2003-03-12 03:44 UTC	Modified:	2003-03-13 02:41 UTC
From:	vesely at tana dot it	Assigned:
Status:	Not a bug	Package:	HTTP related
PHP Version:	4.3.0	OS:	Any
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	vesely at tana dot it
New email:
PHP Version:		OS:

New Comment:

[2003-03-12 03:44 UTC] vesely at tana dot it

Hi,
watch out rfc1867.c around line 342, in function
next_line() there is (was?) the following code:

	if (ptr) {
		/* ... */	
	} else {	
		/* ... */

		line[self->bufsize] = 0;
		self->buf_begin = ptr;    /* <=== */
		self->bytes_in_buffer = 0;
	}

ptr is obviously NULL, buf_begin should never be NULL
or the program may crash. So this is a potential
vulnerability for DOS attackers who submit long lines.

Since you're there, would you mind to check why at line
721, in the rfc1867_post_handler function, there is

		boundary_end = strchr(boundary, ',');

Shouldn't it be ';' (semicolon) rather than ',' (comma)?
(Just wandering)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-12 16:06 UTC] sesser@php.net

buf_begin can be NULL, no DOS possible -> BOGUS1

searching for ',' is correct this works around a bug
in some IE version -> BOGUS2

[2003-03-13 01:13 UTC] vesely at tana dot it

> buf_begin can be NULL, no DOS possible -> BOGUS1

it is not initialized to NULL, it is never tested for not
being NULL, and around line 232, function fill_buffer

  if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
    memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
        }

should grant the job will be done. Why do you say
it can be NULL? If I have some more time next week
I'll try and prepare a proof of concept.

>  searching for ',' is correct this works around a bug
>  in some IE version -> BOGUS2

Ha ha! I should have guessed it... :-)

[2003-03-13 02:41 UTC] sesser@php.net

It must not be tested for not being NULL because
it is only NULL while self->bytes_in_buffer is
0. There will be no action on it until bytes_in_buffer
becomes > 0. This only happens after the buf begin
is set to the buffer again...

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Apr 24 23:01:34 2024 UTC