Bug #61461 [Opn->Csd]: Large HTTP request Content-Length header values result in failed malloc() call

Tue, 20 Mar 2012 18:16:30 -0700 

Edit report at https://bugs.php.net/bug.php?id=61461&edit=1

 ID:                 61461
 Updated by:         il...@php.net
 Reported by:        contact at kaankivilcim dot com
 Summary:            Large HTTP request Content-Length header values
                     result in failed malloc() call
-Status:             Open
+Status:             Closed
 Type:               Bug
 Package:            Built-in web server
 Operating System:   All
 PHP Version:        5.4.0
-Assigned To:        
+Assigned To:        iliaa
 Block user comment: N
 Private report:     N

 New Comment:

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------
[2012-03-21 00:53:18] contact at kaankivilcim dot com

Description:
------------
A denial of service condition can be triggered by HTTP requests that are sent 
to the built-in PHP web server with a large Content-Length header value.

The value of the Content-Length header is passed directly to a pemalloc() call 
in sapi/cli/php_cli_server.c on line 1538. The inline function defined within 
Zend/zend_alloc.h for malloc() will fail, and will terminate the process with 
the error message "Out of memory".

1534    static int php_cli_server_client_read_request_on_body(php_http_parser 
*parser, const char *at, size_t length)
1535    {
1536    php_cli_server_client *client = parser->data;
1537    if (!client->request.content) {
1538    client->request.content = pemalloc(parser->content_length, 1);
1539    client->request.content_len = 0;
1540    }
1541    memmove(client->request.content + client->request.content_len, at, 
length);
1542    client->request.content_len += length;
1543    return 0;
1544    }

Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the 
upper limit of an int for the platform (e.g. 32-bit) in use will trigger the 
condition.

Test script:
---------------
An example HTTP request that will trigger the bug is shown below.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648

A=B

Expected result:
----------------
The expected output would be a meaningful error message.

Invalid request (Requested Content-Length is larger the allowed limit of XYZ)

Actual result:
--------------
The output observed for the PHP process is shown below.

PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on 127.0.0.1:80
Document root is /tmp
Press Ctrl-C to quit.
Out of memory


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61461&edit=1

Reply via email to