From 73b1968ee30f6d9d2dae497544b910e68e114bfa Mon Sep 17 00:00:00 2001 From: Stefan Esser Date: Sat, 14 Jan 2012 09:44:17 +0100 Subject: Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory) --- header.c | 75 +++++++++++++++++----------------------------------------------- 1 file changed, 20 insertions(+), 55 deletions(-) (limited to 'header.c') diff --git a/header.c b/header.c index 368e085..74d4ad9 100644 --- a/header.c +++ b/header.c @@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_ char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; - int l; - - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } + char *buf, *buf2, *d, *d_url; + int l; + + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { encrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); return estrndup(value, value_len); } } else if (SUHOSIN_G(cookie_cryptlist)) { @@ -70,52 +62,34 @@ encrypt_return_plain: } } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC); d_url = php_url_encode(d, strlen(d), &l); efree(d); - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return d_url; } char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC) { - char buffer[4096]; - char buffer2[4096]; int o_name_len = name_len; - char *buf = buffer, *buf2 = buffer2, *d, *d_url; + char *buf, *buf2, *d, *d_url; int l; - if (name_len > sizeof(buffer)-2) { - buf = estrndup(name, name_len); - } else { - memcpy(buf, name, name_len); - buf[name_len] = 0; - } - + buf = estrndup(name, name_len); + name_len = php_url_decode(buf, name_len); - normalize_varname(buf); - name_len = strlen(buf); + normalize_varname(buf); + name_len = strlen(buf); if (SUHOSIN_G(cookie_plainlist)) { if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) { decrypt_return_plain: - if (buf != buffer) { - efree(buf); - } + efree(buf); memcpy(*where, name, o_name_len); *where += o_name_len; **where = '='; *where +=1; @@ -130,12 +104,7 @@ decrypt_return_plain: } - if (strlen(value) <= sizeof(buffer2)-2) { - memcpy(buf2, value, value_len); - buf2[value_len] = 0; - } else { - buf2 = estrndup(value, value_len); - } + buf2 = estrndup(value, value_len); value_len = php_url_decode(buf2, value_len); @@ -152,12 +121,8 @@ decrypt_return_plain: *where += l; efree(d_url); skip_cookie: - if (buf != buffer) { - efree(buf); - } - if (buf2 != buffer2) { - efree(buf2); - } + efree(buf); + efree(buf2); return *where; } -- cgit v1.3