From:
Operating system: All
PHP version: 5.4.0
Package: Built-in web server
Bug Type: Bug
Bug description:Large HTTP request Content-Length header values result in
failed malloc() call
Description:
------------
A denial of service condition can be triggered by HTTP requests that are
sent to the built-in PHP web server with a large Content-Length header
value.
The value of the Content-Length header is passed directly to a pemalloc()
call in sapi/cli/php_cli_server.c on line 1538. The inline function defined
within Zend/zend_alloc.h for malloc() will fail, and will terminate the
process with the error message "Out of memory".
1534 static int php_cli_server_client_read_request_on_body(php_http_parser
*parser, const char *at, size_t length)
1535 {
1536 php_cli_server_client *client = parser->data;
1537 if (!client->request.content) {
1538 client->request.content = pemalloc(parser->content_length, 1);
1539 client->request.content_len = 0;
1540 }
1541 memmove(client->request.content + client->request.content_len, at,
length);
1542 client->request.content_len += length;
1543 return 0;
1544 }
Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the
upper limit of an int for the platform (e.g. 32-bit) in use will trigger
the condition.
Test script:
---------------
An example HTTP request that will trigger the bug is shown below.
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648
A=B
Expected result:
----------------
The expected output would be a meaningful error message.
Invalid request (Requested Content-Length is larger the allowed limit of
XYZ)
Actual result:
--------------
The output observed for the PHP process is shown below.
PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on 127.0.0.1:80
Document root is /tmp
Press Ctrl-C to quit.
Out of memory
--
Edit bug report at https://bugs.php.net/bug.php?id=61461&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=61461&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=61461&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=61461&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=61461&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=61461&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=61461&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=61461&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=61461&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=61461&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=61461&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=61461&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=61461&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=61461&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=61461&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=61461&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=61461&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=61461&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=61461&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=61461&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=61461&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=61461&r=mysqlcfg
