84 lines
2.8 KiB
Diff
84 lines
2.8 KiB
Diff
From 7c476394e799f39f749d7a7a50f62e5d3ec8db61 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Mon, 19 May 2025 13:49:32 +0200
|
|
Subject: [PATCH] Fix size_t overflow in Malloc() argument in ReadParams()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
There were still two issues after commit
|
|
b0eabcaf4d4f371514891a52115c746815c2ff15 (Update fcgiapp.c, Fixing an
|
|
integer overflow (CVE-2025-23016)):
|
|
|
|
* Signed int overflow in "nameLen + valueLen + 2" expression.
|
|
|
|
* Sizes of size_t and int types are in general unrelated.
|
|
|
|
This fix resolves both of the issues.
|
|
|
|
Related to CVE-2025-23016.
|
|
Resolve #67.
|
|
<https://github.com/FastCGI-Archives/fcgi2/pull/77>
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
libfcgi/fcgiapp.c | 13 ++++++++++---
|
|
1 file changed, 10 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/fcgiapp.c b/fcgiapp.c
|
|
index 99c3630..0cd3dd1 100644
|
|
--- a/fcgiapp.c
|
|
+++ b/fcgiapp.c
|
|
@@ -18,6 +18,7 @@
|
|
#include <memory.h> /* for memchr() */
|
|
#include <stdarg.h>
|
|
#include <stdio.h>
|
|
+#include <stdint.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp)
|
|
static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
|
|
{
|
|
int nameLen, valueLen;
|
|
+ size_t totalLen;
|
|
unsigned char lenBuff[3];
|
|
char *nameValue;
|
|
|
|
@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
|
|
}
|
|
nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
|
|
+ (lenBuff[1] << 8) + lenBuff[2];
|
|
- if (nameLen >= INT_MAX) {
|
|
+ if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) {
|
|
SetError(stream, FCGX_PARAMS_ERROR);
|
|
return -1;
|
|
}
|
|
@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
|
|
}
|
|
valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
|
|
+ (lenBuff[1] << 8) + lenBuff[2];
|
|
- if (valueLen >= INT_MAX) {
|
|
+ if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) {
|
|
SetError(stream, FCGX_PARAMS_ERROR);
|
|
return -1;
|
|
}
|
|
}
|
|
+ totalLen = (size_t)nameLen + (size_t)valueLen + 2u;
|
|
+ if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) {
|
|
+ SetError(stream, FCGX_PARAMS_ERROR);
|
|
+ return -1;
|
|
+ }
|
|
/*
|
|
* nameLen and valueLen are now valid; read the name and value
|
|
* from stream and construct a standard environment entry.
|
|
*/
|
|
- nameValue = (char *)Malloc(nameLen + valueLen + 2);
|
|
+ nameValue = (char *)Malloc(totalLen);
|
|
if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {
|
|
SetError(stream, FCGX_PARAMS_ERROR);
|
|
free(nameValue);
|
|
--
|
|
2.49.0
|
|
|