php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61218 FPM drops connection while receiving some binary values in FastCGI requests
Submitted: 2012-03-01 12:04 UTC Modified: 2012-05-26 17:29 UTC
From: bruzh2 at gmail dot com Assigned: fat
Status: Closed Package: FPM related
PHP Version: 5.3.10 OS: Ubuntu 10.04.4 LTS x64
Private report: No CVE-ID:
 [2012-03-01 12:04 UTC] bruzh2 at gmail dot com
Description:
------------
The function fcgi_get_params() checks fastcgi name-value pairs on their effective sizes using fcgi_param_get_eff_len().
This works good only for zero-ended string values, but not the binary data. Suppose we want to transmit binary data with zeroes in the middle.
In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop FastCGI connection.


Test script:
---------------
How to reproduce (passing binary client address in BREMOTE_ADDR):

nginx server configuration:
http://www.box.com/s/dduo08uni67ilgjnn6rc

TCP session dump (tcpdump -ni lo port 4006 -X -s 0):
http://www.box.com/s/ukkyco8raeijvb3hr8ep


Expected result:
----------------
Expected: full response from PHP. 


Actual result:
--------------
Actually got: TCP reset immediately after receiving data packet with FastCGI request.

You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5 are:

0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string)
0x0095 = x04 = 04 (the length of binary data)
0x0096-0x00A1 = "BREMOTE_ADDR" (the name)
0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address 127.0.0.1)

I found something like FastCGI specs on http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2
"3.4 Name-Value Pairs
...
This name-value pair format allows the sender to transmit binary values without additional encoding, 
and enables the receiver to allocate the correct amount of storage immediately even for large values."

Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong.

I wrote a patch that removes check for non-zero byte after "end of string".

Patches

php-fastcgi_binary_bug-fastcgi.c.patch (last revision 2012-03-01 12:05 UTC) by bruzh2 at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-01 15:09 UTC] bruzh2 at gmail dot com
refine summary field
 [2012-03-01 15:09 UTC] bruzh2 at gmail dot com
-Summary: FPM doesn't receive binary values in FastCGI requests +Summary: FPM drops connection while receiving some binary values in FastCGI requests
 [2012-03-02 03:04 UTC] bruzh2 at gmail dot com
php.ini
http://www.box.com/s/bpuv2ngqoh4mog8srl4d

php-fpm.conf
http://www.box.com/s/o81ruvvf8gx31sd456qm
 [2012-03-02 03:14 UTC] bruzh2 at gmail dot com
linux command line to send HTTP request to nginx:

echo -e "GET /test.php HTTP/1.1\nHost: tmp\nConnection: close\n" | nc localhost 80

nginx response:
HTTP/1.1 502 Bad Gateway
Server: nginx/0.7.68
Date: Thu, 01 Mar 2012 10:39:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 173
Connection: close
Set-Cookie: ngs_uid=fwAAAU9PUdk/Oi4mAwMJAg==; expires=Sun, 27-Feb-22 10:39:21 GMT; domain=ngs.ru; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/0.7.68</center>
</body>
</html>

Take note this is LOCAL connection to nginx. Further nginx transmits 4 bytes ('127.0.0.1' = 0x7f 0x00 0x00 0x01) in the 'BREMOTE_ADDR' FastCGI value. And PHP-FPM drops FastCGI connection after receiving non-zero ended binary sequence in the FastCGI value. Any other connection from HTTP client without zeroes in the IPv4 address would work.
 [2012-05-22 16:27 UTC] fat@php.net
-Assigned To: +Assigned To: fat
 [2012-05-26 17:29 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7ff3e839b4c2a3423729b07ba1d40f45f1d2983
Log: Fixed bug #61218 (FPM drops connection while receiving some binary valuesin FastCGI requests)
 [2012-05-26 17:29 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=60cca8b9c9b879295dbf1f76e305882e347dcb53
Log: Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
 [2012-05-26 17:29 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78de6eb03d3a24691d9f535e2cbe768a9ba8bd48
Log: Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
 [2012-05-26 17:29 UTC] fat@php.net
-Status: Assigned +Status: Closed
 [2012-05-26 17:29 UTC] fat@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-05-26 17:37 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f7bd57f930bcfdc97b7472fbe6a502cafdc5a59
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-05-26 17:37 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=773e85a788de7dc557201d4af2cb10250c049052
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-05-26 17:37 UTC] fat@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7a7f533e32813b13255efa236b711f6d1f6325d
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-05-26 17:39 UTC] fat@php.net
Thanks for your patch.

In fact, I pushed another patch which removes the call to fcgi_param_get_eff_len 
for fcgi parameters values. it's now only called for fcgi parameters names.

The fcgi parameters names must be valid strings ended with '\0'.

++ fat
 [2012-05-29 10:27 UTC] ab@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f7bd57f930bcfdc97b7472fbe6a502cafdc5a59
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-05-29 10:27 UTC] ab@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7ff3e839b4c2a3423729b07ba1d40f45f1d2983
Log: Fixed bug #61218 (FPM drops connection while receiving some binary valuesin FastCGI requests)
 [2012-05-29 10:27 UTC] ab@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=773e85a788de7dc557201d4af2cb10250c049052
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-05-29 10:27 UTC] ab@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=60cca8b9c9b879295dbf1f76e305882e347dcb53
Log: Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
 [2012-07-24 23:35 UTC] rasmus@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7a7f533e32813b13255efa236b711f6d1f6325d
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2012-07-24 23:35 UTC] rasmus@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78de6eb03d3a24691d9f535e2cbe768a9ba8bd48
Log: Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
 [2013-11-17 09:32 UTC] laruence@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e7a7f533e32813b13255efa236b711f6d1f6325d
Log: Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
 [2013-11-17 09:32 UTC] laruence@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=78de6eb03d3a24691d9f535e2cbe768a9ba8bd48
Log: Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI requests)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC