From 5a319a02d881684856c0d4c5b30a19400591983f Mon Sep 17 00:00:00 2001
From: George Wang <gwang@php.net>
Date: Wed, 9 Dec 2015 00:06:49 -0500
Subject: [PATCH] Add sanitizing checks for request data.

---
 sapi/litespeed/lsapilib.c | 56 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 54 insertions(+), 2 deletions(-)

diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c
index 06437c21c0..6abaf0d018 100644
--- a/sapi/litespeed/lsapilib.c
+++ b/sapi/litespeed/lsapilib.c
@@ -437,7 +437,7 @@ static int allocateEnvList( struct LSAPI_key_value_pair ** pEnvList,
                         int *curSize, int newSize )
 {
     struct LSAPI_key_value_pair * pBuf;
-        if ( *curSize >= newSize )
+    if ( *curSize >= newSize )
         return 0;
     if ( newSize > 8192 )
         return -1;
@@ -559,6 +559,40 @@ static void fixHeaderIndexEndian( LSAPI_Request * pReq )
     }
 }
 
+
+static int validateHeaders( LSAPI_Request * pReq )
+{
+    int totalLen = pReq->m_pHeader->m_httpHeaderLen;
+    int i;
+    for(i = 0; i < H_TRANSFER_ENCODING; ++i)
+    {
+        if ( pReq->m_pHeaderIndex->m_headerOff[i] )
+        {
+            if (pReq->m_pHeaderIndex->m_headerOff[i] > totalLen 
+                || pReq->m_pHeaderIndex->m_headerLen[i] 
+                    + pReq->m_pHeaderIndex->m_headerOff[i] > totalLen)
+                return -1;
+        }
+    }
+    if (pReq->m_pHeader->m_cntUnknownHeaders > 0)
+    {
+        struct lsapi_header_offset * pCur, *pEnd;
+        pCur = pReq->m_pUnknownHeader;
+        pEnd = pCur + pReq->m_pHeader->m_cntUnknownHeaders;
+        while( pCur < pEnd )
+        {
+            if (pCur->nameOff > totalLen 
+                || pCur->nameOff + pCur->nameLen > totalLen 
+                || pCur->valueOff > totalLen
+                || pCur->valueOff + pCur->valueLen > totalLen)
+                return -1;
+            ++pCur;
+        }
+    }
+    return 0;
+}
+
+
 static uid_t s_uid = 0;
 static uid_t s_defaultUid;  //web server need set this
 static gid_t s_defaultGid;
@@ -999,7 +1033,18 @@ static int parseRequest( LSAPI_Request * pReq, int totalLen )
     if ( parseEnv( pReq->m_pEnvList, pReq->m_pHeader->m_cntEnv,
                 &pBegin, pEnd ) == -1 )
         return -1;
-
+    if (pReq->m_pHeader->m_scriptFileOff < 0 
+        || pReq->m_pHeader->m_scriptFileOff >= totalLen 
+        || pReq->m_pHeader->m_scriptNameOff < 0
+        || pReq->m_pHeader->m_scriptNameOff >= totalLen
+        || pReq->m_pHeader->m_queryStringOff < 0
+        || pReq->m_pHeader->m_queryStringOff >= totalLen
+        || pReq->m_pHeader->m_requestMethodOff < 0 
+        || pReq->m_pHeader->m_requestMethodOff >= totalLen)
+    {
+        fprintf(stderr, "%d: bad request header - ERROR#1\n", getpid());
+        return -1;
+    }
     pReq->m_pScriptFile     = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptFileOff;
     pReq->m_pScriptName     = pReq->m_pReqBuf + pReq->m_pHeader->m_scriptNameOff;
     pReq->m_pQueryString    = pReq->m_pReqBuf + pReq->m_pHeader->m_queryStringOff;
@@ -1025,6 +1070,13 @@ static int parseRequest( LSAPI_Request * pReq, int totalLen )
     {
         fixHeaderIndexEndian( pReq );
     }
+    
+    if (validateHeaders(pReq) == -1)
+    {
+        fprintf(stderr, "%d: bad request header - ERROR#2\n", getpid());
+        return -1;
+    }
+    
     pReq->m_reqBodyLen = pReq->m_pHeader->m_reqBodyLen;
     if ( pReq->m_reqBodyLen == -2 )
     {
-- 
2.40.0