Home Original page

null pointer deref when <methodName> is not set

Bug #51288 null pointer deref when <methodName> is not set
Submitted: 2010-03-13 03:20 UTC Modified: 2010-11-16 21:35 UTC
From: geissert@php.net Assigned: geissert (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2010-0397

 [2010-03-13 03:20 UTC] geissert@php.net

Description:
------------
This is CVE-2010-0397, originally reported by Auke van Slooten at http://bugs.debian.org/573573

When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server.

I've already notified security@php.net, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at:

http://git.debian.org/?p=pkg-php/php.git;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD


Test script:
---------------
<?php
$method = '';
$req = '<?xml version="1.0"?><methodCall></methodCall>';
var_dump(xmlrpc_decode_request($req, $method));
var_dump($method);
echo "Done\n";
?>

Expected result:
----------------
NULL
NULL
Done

Actual result:
--------------
Segmentation fault

Patches

CVE-2009-3765 (last revision 2010-03-13 02:20 UTC by geissert@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2010-03-13 18:00 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: geissert

 [2010-03-13 19:39 UTC] geissert@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Hope I got the NEWS entry order right

 [2010-11-16 00:02 UTC] felipe@php.net

-Package: XMLRPC-EPI related +Package: Security related -CVE-ID: +CVE-ID: 2009-3765

 [2010-11-16 00:03 UTC] felipe@php.net

-Private report: +Private report: N

 [2010-11-16 01:14 UTC] felipe@php.net

-Private report: N +Private report: Y

 [2010-11-16 01:15 UTC] felipe@php.net

-Private report: +Private report: Y

 [2010-11-16 21:28 UTC] felipe@php.net

-Private report: +Private report: N -CVE-ID: 2009-3765 +CVE-ID: 2010-0397

 [2010-11-16 21:35 UTC] felipe@php.net

-Package: Security related +Package: XMLRPC-EPI related