Fixed bug #61218 (FPM drops connection while receiving some binary valuesin FastCGI requests)

2024-09-23 19:07:26 +00:00 · 2012-05-26 19:27:02 +02:00 · 2012-05-26 19:27:02 +02:00 · e7ff3e839b
commit e7ff3e839b
parent 0298b92b69
2 changed files with 10 additions and 40 deletions
--- a/2
+++ b/2
@ -18,6 +18,8 @@ PHP                                                                        NEWS
  . Fixed bug #62153 (when using unix sockets, multiples FPM instances
    can be launched without errors). (fat)
  . Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
+  . Fixed bug #61218 (FPM drops connection while receiving some binary values
+    in FastCGI requests). (fat)

 - Intl:
  . Fixed bug #62083 (grapheme_extract() memory leaks). (Gustavo)
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@ -395,39 +395,12 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne
 	return ret;
 }

-static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len)
-{
-	int ret = 1;
-	int zero_found = 0;
-        *eff_len = 0;
-	for (; p != end; ++p) {
-		if (*p == '\0') {
-			zero_found = 1;
-		}
-		else {
-			if (zero_found) {
-				ret = 0;
-				break;
-			}
-			if (*eff_len < ((uint)-1)) {
-				++*eff_len;
-			}
-			else {
-				ret = 0;
-				break;
-			}
-		}
-	}
-	return ret;
-}
-
 static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end)
 {
 	char buf[128];
 	char *tmp = buf;
 	size_t buf_size = sizeof(buf);
 	int name_len, val_len;
-	uint eff_name_len, eff_val_len;
 	char *s;
 	int ret = 1;
 	size_t bytes_consumed;
@ -453,32 +426,27 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 			ret = 0;
 			break;
 		}
-		if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
-		    !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) {
-			/* Malicious request */
-			ret = 0;
-			break;
-		}
-		if (eff_name_len >= buf_size-1) {
-			if (eff_name_len > ((uint)-1)-64) { 
+
+		if (name_len >= buf_size-1) {
+			if (name_len > ((uint)-1)-64) { 
 				ret = 0;
 				break;
 			}
-			buf_size = eff_name_len + 64;
+			buf_size = name_len + 64;
 			tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size));
 			if (tmp == NULL) {
 				ret = 0;
 				break;
 			}
 		}
-		memcpy(tmp, p, eff_name_len);
-		tmp[eff_name_len] = 0;
-		s = estrndup((char*)p + name_len, eff_val_len);
+		memcpy(tmp, p, name_len);
+		tmp[name_len] = 0;
+		s = estrndup((char*)p + name_len, val_len);
 		if (s == NULL) {
 			ret = 0;
 			break;
 		}
-		zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL);
+		zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL);
 		p += name_len + val_len;
 	}
 	if (tmp != buf && tmp != NULL) {