]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b907108)
Added checks for malformated FastCGI requests (Mattias Bengtsson)
authorDmitry Stogov <dmitry@php.net>
Fri, 7 Sep 2007 08:30:10 +0000 (08:30 +0000)
committerDmitry Stogov <dmitry@php.net>
Fri, 7 Sep 2007 08:30:10 +0000 (08:30 +0000)
sapi/cgi/fastcgi.c patch | blob | history

diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 50f8a250b14b3e38cb5a36c4f31d79016ab9f72d..85855036d31e9a97124a2373d3cf877059b687e0 100644 (file)
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -620,7 +620,8 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
                        val_len |= (*p++ << 8);
                        val_len |= *p++;
                }
-               if (p + name_len + val_len > end) {
+               if (name_len + val_len < 0 ||
+                   name_len + val_len > end - p) {
                        /* Malformated request */
                        ret = 0;
                        break;
@@ -676,6 +677,10 @@ static int fcgi_read_request(fcgi_request *req)
                padding = hdr.paddingLength;
        }
 
+       if (len + padding > FCGI_MAX_LENGTH) {
+               return 0;
+       }
+
        req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
 
        if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {
Unnamed repository; edit this file 'description' to name the repository.