Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malformed requests when using more than 8192 bytes of parameters #13

Open
arnecls opened this issue Dec 21, 2018 · 4 comments
Open

Malformed requests when using more than 8192 bytes of parameters #13

arnecls opened this issue Dec 21, 2018 · 4 comments

Comments

@arnecls
Copy link

arnecls commented Dec 21, 2018
edited

The size of the parameter buffer is set fixed to 8KB, see

fcgi2/cgi-fcgi/cgi-fcgi.c

Line 814 in 856ac83

paramsStream = FCGX_CreateWriter(appServerSock, requestId, 8192, FCGI_PARAMS);

Using more then ~8KB of parameters will cause malformed requests.

In our case we were sending around 8184 bytes (according to wireshark):
broken

Here is the output of the same request with slightly less data, which is working:
working

We could not really track it down far into the code, but I never saw the stream buffer size being reset somewhere. But as a second parameter set is sent (see wireshark protocol) it could also be an off-by-one error or similar.
@arnecls
Copy link
Author

arnecls commented Dec 21, 2018
edited

I sadly cannot send you the dumps, as they contain sensitive information, but I can look things up if you want to.

The error reported by wireshark is sadly not very informative.

[Malformed Packet: FCGI]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

@arnecls arnecls mentioned this issue Dec 21, 2018
Closed
@mcarbonneaux
Copy link
Member

your welcome to send pull request to fix it.

@mcarbonneaux
Copy link
Member

mcarbonneaux commented Jan 7, 2019
edited

you've tryed to change the 8192 size in FCGX_CreateWriter argument to see if simply this size that had been reached or more complex thing ?

@mcarbonneaux
Copy link
Member

mcarbonneaux commented Jan 7, 2019
edited

you've catched the exit status of the cgi-fcgi binary ?

because in the loop after the createwriter they exit hard if fail to putstr:

 for( ; *envp != NULL; envp++) {
        equalPtr = strchr(*envp, '=');
        if(equalPtr  == NULL) {
            exit(1000);
        }
        valueLen = strlen(equalPtr + 1);
        FCGIUtil_BuildNameValueHeader(
                equalPtr - *envp,
                valueLen,
                &headerBuff[0],
                &headerLen);
        if(FCGX_PutStr((char *) &headerBuff[0], headerLen, paramsStream) < 0
                || FCGX_PutStr(*envp, equalPtr - *envp, paramsStream) < 0
                || FCGX_PutStr(equalPtr + 1, valueLen, paramsStream) < 0) {
            exit(FCGX_GetError(paramsStream));
        }
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arnecls @mcarbonneaux