Skip to content

Commit 73b1968

Browse files
committed
Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
1 parent f645362 commit 73b1968

File tree

2 files changed

+21
-55
lines changed

2 files changed

+21
-55
lines changed

Diff for: Changelog

+1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
2012-01-11 - 0.9.33-dev
22

3+
- Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
34
- Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
45
- Removed crypt() support - because not used for PHP >= 5.3.0 anyway
56

Diff for: header.c

+20-55
Original file line numberDiff line numberDiff line change
@@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_
4040

4141
char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
4242
{
43-
char buffer[4096];
44-
char buffer2[4096];
45-
char *buf = buffer, *buf2 = buffer2, *d, *d_url;
46-
int l;
47-
48-
if (name_len > sizeof(buffer)-2) {
49-
buf = estrndup(name, name_len);
50-
} else {
51-
memcpy(buf, name, name_len);
52-
buf[name_len] = 0;
53-
}
43+
char *buf, *buf2, *d, *d_url;
44+
int l;
45+
46+
buf = estrndup(name, name_len);
47+
5448

5549
name_len = php_url_decode(buf, name_len);
56-
normalize_varname(buf);
57-
name_len = strlen(buf);
50+
normalize_varname(buf);
51+
name_len = strlen(buf);
5852

5953
if (SUHOSIN_G(cookie_plainlist)) {
6054
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
6155
encrypt_return_plain:
62-
if (buf != buffer) {
63-
efree(buf);
64-
}
56+
efree(buf);
6557
return estrndup(value, value_len);
6658
}
6759
} else if (SUHOSIN_G(cookie_cryptlist)) {
@@ -70,52 +62,34 @@ char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int v
7062
}
7163
}
7264

73-
if (strlen(value) <= sizeof(buffer2)-2) {
74-
memcpy(buf2, value, value_len);
75-
buf2[value_len] = 0;
76-
} else {
77-
buf2 = estrndup(value, value_len);
78-
}
65+
buf2 = estrndup(value, value_len);
7966

8067
value_len = php_url_decode(buf2, value_len);
8168

8269
d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
8370
d_url = php_url_encode(d, strlen(d), &l);
8471
efree(d);
85-
if (buf != buffer) {
86-
efree(buf);
87-
}
88-
if (buf2 != buffer2) {
89-
efree(buf2);
90-
}
72+
efree(buf);
73+
efree(buf2);
9174
return d_url;
9275
}
9376

9477
char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
9578
{
96-
char buffer[4096];
97-
char buffer2[4096];
9879
int o_name_len = name_len;
99-
char *buf = buffer, *buf2 = buffer2, *d, *d_url;
80+
char *buf, *buf2, *d, *d_url;
10081
int l;
10182

102-
if (name_len > sizeof(buffer)-2) {
103-
buf = estrndup(name, name_len);
104-
} else {
105-
memcpy(buf, name, name_len);
106-
buf[name_len] = 0;
107-
}
108-
83+
buf = estrndup(name, name_len);
84+
10985
name_len = php_url_decode(buf, name_len);
110-
normalize_varname(buf);
111-
name_len = strlen(buf);
86+
normalize_varname(buf);
87+
name_len = strlen(buf);
11288

11389
if (SUHOSIN_G(cookie_plainlist)) {
11490
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
11591
decrypt_return_plain:
116-
if (buf != buffer) {
117-
efree(buf);
118-
}
92+
efree(buf);
11993
memcpy(*where, name, o_name_len);
12094
*where += o_name_len;
12195
**where = '='; *where +=1;
@@ -130,12 +104,7 @@ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int v
130104
}
131105

132106

133-
if (strlen(value) <= sizeof(buffer2)-2) {
134-
memcpy(buf2, value, value_len);
135-
buf2[value_len] = 0;
136-
} else {
137-
buf2 = estrndup(value, value_len);
138-
}
107+
buf2 = estrndup(value, value_len);
139108

140109
value_len = php_url_decode(buf2, value_len);
141110

@@ -152,12 +121,8 @@ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int v
152121
*where += l;
153122
efree(d_url);
154123
skip_cookie:
155-
if (buf != buffer) {
156-
efree(buf);
157-
}
158-
if (buf2 != buffer2) {
159-
efree(buf2);
160-
}
124+
efree(buf);
125+
efree(buf2);
161126
return *where;
162127
}
163128

0 commit comments

Comments
 (0)