php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22657 Weak parsing in rfc1867.c
Submitted: 2003-03-12 03:44 UTC Modified: 2003-03-13 02:41 UTC
From: vesely at tana dot it Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.3.0 OS: Any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: vesely at tana dot it
New email:
PHP Version: OS:

 

 [2003-03-12 03:44 UTC] vesely at tana dot it
Hi,
watch out rfc1867.c around line 342, in function
next_line() there is (was?) the following code:

	if (ptr) {
		/* ... */	
	} else {	
		/* ... */

		line[self->bufsize] = 0;
		self->buf_begin = ptr;    /* <=== */
		self->bytes_in_buffer = 0;
	}

ptr is obviously NULL, buf_begin should never be NULL
or the program may crash. So this is a potential
vulnerability for DOS attackers who submit long lines.

Since you're there, would you mind to check why at line
721, in the rfc1867_post_handler function, there is

		boundary_end = strchr(boundary, ',');

Shouldn't it be ';' (semicolon) rather than ',' (comma)?
(Just wandering)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-12 16:06 UTC] sesser@php.net
buf_begin can be NULL, no DOS possible -> BOGUS1

searching for ',' is correct this works around a bug
in some IE version -> BOGUS2
 [2003-03-13 01:13 UTC] vesely at tana dot it
> buf_begin can be NULL, no DOS possible -> BOGUS1

it is not initialized to NULL, it is never tested for not
being NULL, and around line 232, function fill_buffer

  if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
    memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
        }

should grant the job will be done. Why do you say
it can be NULL? If I have some more time next week
I'll try and prepare a proof of concept.

>  searching for ',' is correct this works around a bug
>  in some IE version -> BOGUS2

Ha ha! I should have guessed it... :-)
 [2003-03-13 02:41 UTC] sesser@php.net
It must not be tested for not being NULL because
it is only NULL while self->bytes_in_buffer is
0. There will be no action on it until bytes_in_buffer
becomes > 0. This only happens after the buf begin
is set to the buffer again...

 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Fri Feb 14 22:01:29 2025 UTC