From 96286b2a8440e98c43c5a027a3f820ca327cb1e5 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 4 Mar 2026 14:53:04 +0100 Subject: [PATCH] BUG/MAJOR: fcgi: Fix param decoding by properly checking its size In functions used to decode a FCGI parameter, the test on the data length before reading the parameter's name and value did not consider the offset value used to skip already parsed data. So it was possible to read more data than available (OOB read). To do so, a malicious FCGI server must send a forged GET_VALUES_RESULT record containing a parameter with wrong name/value length. Thank you to Kamil Frankowicz for having reported this. This patch must be backported to all stable versions. --- src/fcgi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/fcgi.c b/src/fcgi.c index 1d1a82b4c..0ff76156f 100644 --- a/src/fcgi.c +++ b/src/fcgi.c @@ -198,7 +198,7 @@ size_t fcgi_decode_param(const struct buffer *in, size_t o, struct fcgi_param *p len += 4; } - if (data < nlen + vlen) + if (data < o + nlen + vlen) return 0; p->n = ist2(b_peek(in, o), nlen); @@ -253,7 +253,7 @@ size_t fcgi_aligned_decode_param(const struct buffer *in, size_t o, struct fcgi_ len += 4; } - if (data < nlen + vlen) + if (data < o + nlen + vlen) return 0; p->n = ist2(in->area + o, nlen);