php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37576 FastCGI env (cgi vars) table overflow
Submitted: 2006-05-24 09:42 UTC Modified: 2006-05-25 07:07 UTC
From: gacek at intertele dot pl Assigned: dmitry
Status: Closed Package: Reproducible crash
PHP Version: 5.1.5CVS OS: Linux
Private report: No CVE-ID:
 [2006-05-24 09:42 UTC] gacek at intertele dot pl
Description:
------------
To many CGI variables overflows cgi var table (128 entries) in fastcgi mode, crashing php process.
Default env table size (127 usable entries) may be to small in cgi+ssl+force_redirect.
Apparently it's fixed in 5.2 branch, but not in 5.1.

Expected result:
----------------
No crash, larger env table.

Actual result:
--------------
Simple fix below increases env table to 256 (255 usable entries) and performs checks where apropriate.

diff -ru php-5.1.4/sapi/cgi/fastcgi.c php-5.1.4-patched/sapi/cgi/fastcgi.c
--- php-5.1.4/sapi/cgi/fastcgi.c        2006-05-23 14:23:08.000000000 +0200
+++ php-5.1.4-patched/sapi/cgi/fastcgi.c        2006-05-23 08:14:25.000000000 +0200
@@ -401,7 +401,7 @@
        int name_len, val_len;
        char *s;
 
-       while (p < end) {
+       while (p < end && n < FCGI_MAX_ENV_VARS - 1) {
                name_len = *p++;
                if (name_len >= 128) {
                        name_len = ((name_len & 0x7f) << 24);
@@ -928,7 +928,9 @@
                        }
                        env++;
                }
-               *env = fcgi_strndup(var, var_len);
+               
+               if (env < req->env + sizeof(req->env) - 1)
+                       *env = fcgi_strndup(var, var_len);
        }
 }
 
diff -ru php-5.1.4/sapi/cgi/fastcgi.h php-5.1.4-patched/sapi/cgi/fastcgi.h
--- php-5.1.4/sapi/cgi/fastcgi.h        2006-05-03 17:39:16.000000000 +0200
+++ php-5.1.4-patched/sapi/cgi/fastcgi.h        2006-05-23 07:59:36.000000000 +0200
@@ -26,6 +26,8 @@
 
 #define FCGI_KEEP_CONN  1
 
+#define FCGI_MAX_ENV_VARS 256
+
 typedef enum _fcgi_role {
        FCGI_RESPONDER  = 1,
        FCGI_AUTHORIZER = 2,
@@ -105,7 +107,7 @@
        unsigned char  out_buf[1024*8];
        unsigned char  reserved[sizeof(fcgi_end_request_rec)];
 
-       char          *env[128];
+       char          *env[FCGI_MAX_ENV_VARS];
 } fcgi_request;
 
 int fcgi_init(void);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-25 07:07 UTC] dmitry@php.net
Patch is applied to PHP_5_1.

The problem is already fixed in HEAD and PHP_5_2.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC