Fixed bug #61218 (FPM drops connection while receiving some binary values in FastCGI...

diff --git a/NEWS b/NEWS
index 8314eda61247a2d6d12d5fcdebd1a6498c78dc1a..eed55f1e1a580c026425ca5842c31fc2ba7d6c51 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -66,6 +66,8 @@ PHP                                                                        NEWS
   . Fixed bug #62153 (when using unix sockets, multiples FPM instances
     can be launched without errors). (fat)
   . Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
+  . Fixed bug #61218 (FPM drops connection while receiving some binary values
+    in FastCGI requests). (fat)
 
 - Intl
   . ResourceBundle constructor now accepts NULL for the first two arguments.

diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index 212b6ff1db5221e7540f23f4c58ed02deae9822a..9df26f11cdb497108850d4b5ad42089d8129312b 100644 (file)
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -395,39 +395,12 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne
        return ret;
 }
 
-static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len)
-{
-       int ret = 1;
-       int zero_found = 0;
-        *eff_len = 0;
-       for (; p != end; ++p) {
-               if (*p == '\0') {
-                       zero_found = 1;
-               }
-               else {
-                       if (zero_found) {
-                               ret = 0;
-                               break;
-                       }
-                       if (*eff_len < ((uint)-1)) {
-                               ++*eff_len;
-                       }
-                       else {
-                               ret = 0;
-                               break;
-                       }
-               }
-       }
-       return ret;
-}
-
 static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end)
 {
        char buf[128];
        char *tmp = buf;
        size_t buf_size = sizeof(buf);
        int name_len, val_len;
-       uint eff_name_len, eff_val_len;
        char *s;
        int ret = 1;
        size_t bytes_consumed;
@@ -453,32 +426,27 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
                        ret = 0;
                        break;
                }
-               if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
-                   !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) {
-                       /* Malicious request */
-                       ret = 0;
-                       break;
-               }
-               if (eff_name_len >= buf_size-1) {
-                       if (eff_name_len > ((uint)-1)-64) { 
+
+               if (name_len >= buf_size-1) {
+                       if (name_len > ((uint)-1)-64) { 
                                ret = 0;
                                break;
                        }
-                       buf_size = eff_name_len + 64;
+                       buf_size = name_len + 64;
                        tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size));
                        if (tmp == NULL) {
                                ret = 0;
                                break;
                        }
                }
-               memcpy(tmp, p, eff_name_len);
-               tmp[eff_name_len] = 0;
-               s = estrndup((char*)p + name_len, eff_val_len);
+               memcpy(tmp, p, name_len);
+               tmp[name_len] = 0;
+               s = estrndup((char*)p + name_len, val_len);
                if (s == NULL) {
                        ret = 0;
                        break;
                }
-               zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL);
+               zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL);
                p += name_len + val_len;
        }
        if (tmp != buf && tmp != NULL) {