Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC

author Raphael Geissert <geissert@php.net>

Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)

committer Raphael Geissert <geissert@php.net>

Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)
author Raphael Geissert <geissert@php.net>
Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)
committer Raphael Geissert <geissert@php.net>
Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)
diff --git a/ext/xmlrpc/tests/bug51288.phpt b/ext/xmlrpc/tests/bug51288.phpt

new file mode 100644 (file)

index 0000000..d9bdef8
--- /dev/null
+++ b/ext/xmlrpc/tests/bug51288.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
+--FILE--
+<?php
+$method = NULL;
+$req = '<?xml version="1.0"?><methodCall></methodCall>';
+var_dump(xmlrpc_decode_request($req, $method));
+var_dump($method);
+echo "Done\n";
+?>
+--EXPECT--
+NULL
+NULL
+Done
diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c

index e41d8c235381cdae5cf822f954a8f71abb46f461..256076070d7b26859b01e6cde08b67d7f88a6688 100644 (file)
--- a/ext/xmlrpc/xmlrpc-epi-php.c
+++ b/ext/xmlrpc/xmlrpc-epi-php.c
@@ -784,6 +784,7 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva
         zval* retval = NULL;
         XMLRPC_REQUEST response;
         STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
+       const char *method_name;
         opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(encoding_in) : ENCODING_DEFAULT;
  
         /* generate XMLRPC_REQUEST from raw xml */
@@ -794,10 +795,15 @@ zval* decode_request_worker(char *xml_in, int xml_in_len, char *encoding_in, zva
  
                 if (XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
                         if (method_name_out) {
-                               zval_dtor(method_name_out);
-                               Z_TYPE_P(method_name_out) = IS_STRING;
-                               Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
-                               Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+                               method_name = XMLRPC_RequestGetMethodName(response);
+                               if (method_name) {
+                                       zval_dtor(method_name_out);
+                                       Z_TYPE_P(method_name_out) = IS_STRING;
+                                       Z_STRVAL_P(method_name_out) = estrdup(method_name);
+                                       Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+                               } else {
+                                       retval = NULL;
+                               }
                         }
                 }
author	Raphael Geissert <geissert@php.net>
	Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)
committer	Raphael Geissert <geissert@php.net>
	Sat, 13 Mar 2010 18:40:29 +0000 (18:40 +0000)
ext/xmlrpc/tests/bug51288.phpt	[new file with mode: 0644]	patch \| blob
ext/xmlrpc/xmlrpc-epi-php.c		patch \| blob \| history