Fixed buffer overflow with POSTs and huge numbers of name/value pairs…

…. Reduced MAX_PARAMS (now MS_MAX_CGI_PARAMS) from 10,000 to 100. git-svn-id: http://svn.osgeo.org/mapserver/trunk@5704 7532c77e-422f-0410-93f4-f0b67bdd69e2
MapServer · Aug 29, 2006 · c6f51d0 · c6f51d0
1 parent 0960646
commit c6f51d0
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 28 deletions.
diff --git a/cgiutil.c b/cgiutil.c
@@ -27,6 +27,9 @@
  ******************************************************************************
  *
  * $Log$
+ * Revision 1.26  2006/08/29 01:56:53  sdlime
+ * Fixed buffer overflow with POSTs and huge numbers of name/value pairs. Reduced MAX_PARAMS (now MS_MAX_CGI_PARAMS) from 10,000 to 100.
+ *
  * Revision 1.25  2006/05/08 20:28:43  frank
  * force stdin into binary mode when reading from stdin on win32 (bug 1768)
  *
@@ -152,29 +155,36 @@ int loadParams(cgiRequestObj *request){
 
     post_data = readPostBody( request );
     if(strcmp(request->contenttype, "application/x-www-form-urlencoded")) 
-        request->postrequest = post_data;
-    else 
-    {
-        int data_len = strlen(post_data);
-        while( data_len > 0 && isspace(post_data[data_len-1]) )
-            post_data[--data_len] = '\0';
+      request->postrequest = post_data;
+    else {
+      int data_len = strlen(post_data);
+      while( data_len > 0 && isspace(post_data[data_len-1]) )
+        post_data[--data_len] = '\0';
 
-        while( post_data[0] )
-        {
-            request->ParamValues[m] = makeword(post_data,'&');
-            plustospace(request->ParamValues[m]);
-            unescape_url(request->ParamValues[m]);
-            request->ParamNames[m] = makeword(request->ParamValues[m],'=');
-            m++;
+      while( post_data[0] ) {
+        if(m >= MS_MAX_CGI_PARAMS) {
+          msIO_printf("Too many name/value pairs, aborting.\n");
+	  exit(0);
         }
-        free( post_data );
+
+        request->ParamValues[m] = makeword(post_data,'&');
+        plustospace(request->ParamValues[m]);
+        unescape_url(request->ParamValues[m]);
+        request->ParamNames[m] = makeword(request->ParamValues[m],'=');
+        m++;
+      }
+      free( post_data );
     }
 
-    /*check the QUERY_STRING even in the post request since it can contain 
-      information. Eg a wfs request with  */
+    /* check the QUERY_STRING even in the post request since it can contain 
+       information. Eg a wfs request with  */
     s = getenv("QUERY_STRING");
-    if (s){
+    if(s) {
       for(x=0;s[0] != '\0';x++) {       
+        if(m >= MS_MAX_CGI_PARAMS) {
+          msIO_printf("Too many name/value pairs, aborting.\n");
+          exit(0);
+        }
         request->ParamValues[m] = makeword(s,'&');
         plustospace(request->ParamValues[m]);
         unescape_url(request->ParamValues[m]);
@@ -200,6 +210,10 @@ int loadParams(cgiRequestObj *request){
       }
 
       for(x=0;s[0] != '\0';x++) {       
+        if(m >= MS_MAX_CGI_PARAMS) {
+          msIO_printf("Too many name/value pairs, aborting.\n");
+          exit(0);
+        }
         request->ParamValues[m] = makeword(s,'&');
         plustospace(request->ParamValues[m]);
         unescape_url(request->ParamValues[m]);
@@ -217,6 +231,10 @@ int loadParams(cgiRequestObj *request){
   s = getenv("HTTP_COOKIE");
   if(s != NULL) {    
     for(x=0;s[0] != '\0';x++) {
+      if(m >= MS_MAX_CGI_PARAMS) {
+	msIO_printf("Too many name/value pairs, aborting.\n");
+	exit(0);
+      }
       request->ParamValues[m] = makeword(s,';');
       plustospace(request->ParamValues[m]);
       unescape_url(request->ParamValues[m]);

diff --git a/cgiutil.h b/cgiutil.h
@@ -28,6 +28,9 @@
  ******************************************************************************
  *
  * $Log$
+ * Revision 1.19  2006/08/29 01:56:53  sdlime
+ * Fixed buffer overflow with POSTs and huge numbers of name/value pairs. Reduced MAX_PARAMS (now MS_MAX_CGI_PARAMS) from 10,000 to 100.
+ *
  * Revision 1.18  2006/02/22 05:04:34  sdlime
  * Applied patch for bug 1660 to hide certain structures from Swig-based MapScript.
  *
@@ -54,7 +57,7 @@
 /*
 ** Misc. defines
 */
-#define MAX_PARAMS 10000
+#define MS_MAX_CGI_PARAMS 100
 
 enum MS_REQUEST_TYPE {MS_GET_REQUEST, MS_POST_REQUEST};
 

diff --git a/mapscript/php3/mapscript_i.c b/mapscript/php3/mapscript_i.c
@@ -7,6 +7,9 @@
  * $Id$
  *
  * $Log$
+ * Revision 1.100  2006/08/29 01:56:53  sdlime
+ * Fixed buffer overflow with POSTs and huge numbers of name/value pairs. Reduced MAX_PARAMS (now MS_MAX_CGI_PARAMS) from 10,000 to 100.
+ *
  * Revision 1.99  2006/08/22 15:55:03  assefa
  * Adding geos functions to php mapscript (Bug 1327)
  *
@@ -1301,8 +1304,8 @@ cgiRequestObj *cgirequestObj_new()
     cgiRequestObj *request;
     request = msAllocCgiObj();
 
-    request->ParamNames = (char **) malloc(MAX_PARAMS*sizeof(char*));
-    request->ParamValues = (char **) malloc(MAX_PARAMS*sizeof(char*));
+    request->ParamNames = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
+    request->ParamValues = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
 
     return request;
 }
@@ -1318,8 +1321,8 @@ void cgirequestObj_setParameter(cgiRequestObj *self, char *name, char *value)
 {
     int i;
 
-    if (self->NumParams == MAX_PARAMS) {
-      msSetError(MS_CHILDERR, "Maximum number of items, %d, has been reached", "setItem()", MAX_PARAMS);
+    if (self->NumParams == MS_MAX_CGI_PARAMS) {
+      msSetError(MS_CHILDERR, "Maximum number of items, %d, has been reached", "setItem()", MS_MAX_CGI_PARAMS);
     }
 
     for (i=0; i<self->NumParams; i++) {

diff --git a/mapscript/swiginc/owsrequest.i b/mapscript/swiginc/owsrequest.i
@@ -22,8 +22,8 @@
             return NULL;
         }
 
-        request->ParamNames = (char **) malloc(MAX_PARAMS*sizeof(char*));
-        request->ParamValues = (char **) malloc(MAX_PARAMS*sizeof(char*));
+        request->ParamNames = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
+        request->ParamValues = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
         if (request->ParamNames==NULL || request->ParamValues==NULL) {
 	        msSetError(MS_MEMERR, NULL, "OWSRequest()");
             return NULL;
@@ -52,8 +52,8 @@
     {
         int i;
 
-        if (self->NumParams == MAX_PARAMS) {
-            msSetError(MS_CHILDERR, "Maximum number of items, %d, has been reached", "setItem()", MAX_PARAMS);
+        if (self->NumParams == MS_MAX_CGI_PARAMS) {
+            msSetError(MS_CHILDERR, "Maximum number of items, %d, has been reached", "setItem()", MS_MAX_CGI_PARAMS);
         }
 
         for (i=0; i<self->NumParams; i++) {

diff --git a/mapserv.c b/mapserv.c
@@ -27,6 +27,9 @@
  ******************************************************************************
  *
  * $Log$
+ * Revision 1.152  2006/08/29 01:56:53  sdlime
+ * Fixed buffer overflow with POSTs and huge numbers of name/value pairs. Reduced MAX_PARAMS (now MS_MAX_CGI_PARAMS) from 10,000 to 100.
+ *
  * Revision 1.151  2006/07/05 05:50:14  frank
  * avoid mapservobj leak in some error cases
  *
@@ -1184,8 +1187,8 @@ int main(int argc, char *argv[]) {
 /* -------------------------------------------------------------------- */
     msObj = msAllocMapServObj();
 
-    msObj->request->ParamNames = (char **) malloc(MAX_PARAMS*sizeof(char*));
-    msObj->request->ParamValues = (char **) malloc(MAX_PARAMS*sizeof(char*));
+    msObj->request->ParamNames = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
+    msObj->request->ParamValues = (char **) malloc(MS_MAX_CGI_PARAMS*sizeof(char*));
     if (msObj->request->ParamNames==NULL || msObj->request->ParamValues==NULL) {
 	msSetError(MS_MEMERR, NULL, "mapserv()");
 	writeError();