Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed stack based buffer overflow in transparent cookie encryption (s…

…ee separate advisory)
  • Loading branch information...
commit 73b1968ee30f6d9d2dae497544b910e68e114bfa 1 parent f645362
@stefanesser authored
Showing with 21 additions and 55 deletions.
  1. +1 −0  Changelog
  2. +20 −55 header.c
View
1  Changelog
@@ -1,5 +1,6 @@
2012-01-11 - 0.9.33-dev
+ - Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
- Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
- Removed crypt() support - because not used for PHP >= 5.3.0 anyway
View
75 header.c
@@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_
char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
{
- char buffer[4096];
- char buffer2[4096];
- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
- int l;
-
- if (name_len > sizeof(buffer)-2) {
- buf = estrndup(name, name_len);
- } else {
- memcpy(buf, name, name_len);
- buf[name_len] = 0;
- }
+ char *buf, *buf2, *d, *d_url;
+ int l;
+
+ buf = estrndup(name, name_len);
+
name_len = php_url_decode(buf, name_len);
- normalize_varname(buf);
- name_len = strlen(buf);
+ normalize_varname(buf);
+ name_len = strlen(buf);
if (SUHOSIN_G(cookie_plainlist)) {
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
encrypt_return_plain:
- if (buf != buffer) {
- efree(buf);
- }
+ efree(buf);
return estrndup(value, value_len);
}
} else if (SUHOSIN_G(cookie_cryptlist)) {
@@ -70,52 +62,34 @@ char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int v
}
}
- if (strlen(value) <= sizeof(buffer2)-2) {
- memcpy(buf2, value, value_len);
- buf2[value_len] = 0;
- } else {
- buf2 = estrndup(value, value_len);
- }
+ buf2 = estrndup(value, value_len);
value_len = php_url_decode(buf2, value_len);
d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
d_url = php_url_encode(d, strlen(d), &l);
efree(d);
- if (buf != buffer) {
- efree(buf);
- }
- if (buf2 != buffer2) {
- efree(buf2);
- }
+ efree(buf);
+ efree(buf2);
return d_url;
}
char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
{
- char buffer[4096];
- char buffer2[4096];
int o_name_len = name_len;
- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
+ char *buf, *buf2, *d, *d_url;
int l;
- if (name_len > sizeof(buffer)-2) {
- buf = estrndup(name, name_len);
- } else {
- memcpy(buf, name, name_len);
- buf[name_len] = 0;
- }
-
+ buf = estrndup(name, name_len);
+
name_len = php_url_decode(buf, name_len);
- normalize_varname(buf);
- name_len = strlen(buf);
+ normalize_varname(buf);
+ name_len = strlen(buf);
if (SUHOSIN_G(cookie_plainlist)) {
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
decrypt_return_plain:
- if (buf != buffer) {
- efree(buf);
- }
+ efree(buf);
memcpy(*where, name, o_name_len);
*where += o_name_len;
**where = '='; *where +=1;
@@ -130,12 +104,7 @@ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int v
}
- if (strlen(value) <= sizeof(buffer2)-2) {
- memcpy(buf2, value, value_len);
- buf2[value_len] = 0;
- } else {
- buf2 = estrndup(value, value_len);
- }
+ buf2 = estrndup(value, value_len);
value_len = php_url_decode(buf2, value_len);
@@ -152,12 +121,8 @@ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int v
*where += l;
efree(d_url);
skip_cookie:
- if (buf != buffer) {
- efree(buf);
- }
- if (buf2 != buffer2) {
- efree(buf2);
- }
+ efree(buf);
+ efree(buf2);
return *where;
}
Please sign in to comment.
Something went wrong with that request. Please try again.