From fc3a060a047250c22ba1ba38c6113c3584264aa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= Date: Fri, 14 Feb 2014 21:06:00 +0000 Subject: [PATCH] [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a new fastcgi packet is expected, but the currently available data doesn't fill the header and debug is active an invalid read is triggerd. From: Stefan Bühler git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2939 152afb58-edef-0310-8abb-c4023f1b3aa9 --- NEWS | 2 +- src/mod_fastcgi.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 0d6d9ffb..ca1e206e 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,7 @@ NEWS - 1.4.35 * [network/ssl] fix build error if TLSEXT is disabled - + * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active) - 1.4.34 * [mod_auth] explicitly link ssl for SHA1 (fixes #2517) diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c index 056624be..64cc2442 100644 --- a/src/mod_fastcgi.c +++ b/src/mod_fastcgi.c @@ -2420,11 +2420,12 @@ static int fastcgi_get_packet(server *srv, handler_ctx *hctx, fastcgi_response_p if ((packet->b->used == 0) || (packet->b->used - 1 < sizeof(FCGI_Header))) { /* no header */ - buffer_free(packet->b); - if (hctx->plugin_data->conf.debug) { log_error_write(srv, __FILE__, __LINE__, "sdsds", "FastCGI: header too small:", packet->b->used, "bytes <", sizeof(FCGI_Header), "bytes, waiting for more data"); } + + buffer_free(packet->b); + return -1; }