BUG/MAJOR: fcgi: Fix param decoding by properly checking its size

In functions used to decode a FCGI parameter, the test on the data length
before reading the parameter's name and value did not consider the offset
value used to skip already parsed data. So it was possible to read more data
than available (OOB read). To do so, a malicious FCGI server must send a
forged GET_VALUES_RESULT record containing a parameter with wrong name/value
length.

Thank you to Kamil Frankowicz for having reported this.

This patch must be backported to all stable versions.

diff --git a/src/fcgi.c b/src/fcgi.c
index 1d1a82b4c64484ef964aafef8f2e0b961b3024c0..0ff76156f291f0523c21fcd6aa6ddd0812ce4bb9 100644 (file)
--- a/src/fcgi.c
+++ b/src/fcgi.c
@@ -198,7 +198,7 @@ size_t fcgi_decode_param(const struct buffer *in, size_t o, struct fcgi_param *p
                len += 4;
        }
 
-       if (data < nlen + vlen)
+       if (data < o + nlen + vlen)
                return 0;
 
        p->n = ist2(b_peek(in, o), nlen);
@@ -253,7 +253,7 @@ size_t fcgi_aligned_decode_param(const struct buffer *in, size_t o, struct fcgi_
                len += 4;
        }
 
-       if (data < nlen + vlen)
+       if (data < o + nlen + vlen)
                return 0;
 
        p->n = ist2(in->area + o, nlen);