Is PHP buffer overflow possible?

Question

Possible Duplicate:
How to conduct buffer overflow in PHP/Python?

I was reading this tutorial, when I came into this:

A buffer overflow attack seeks to overflow the memory allocation buffer inside your PHP application or, more seriously, in Apache or the underlying operating system. Remember that you may be using a high-level language like PHP to code your Web applications, but at the end of the day, you're calling C (in the case of Apache) to do work. And C, like most low-level languages, has strict rules about allocation of memory..

What? I knew that PHP was well error-checked and so buffer overflow wasn't possible. Should I check user input length to avoid too big data flow? Thank you very much

score 11 · Accepted Answer · answered Aug 05 '12 at 15:24

11

Yes it is and in the current change log there has been 15 bug fixes related to it:

Fixed bug #61807 Buffer Overflow in apache_request_headers, CVE-2012-2329.

Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas

Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with $double=false).

Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)

Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user. (Andrey)

Fixed possible buffer overflows when handling error packets in mysqlnd. Reported by Stefan Esser. (Andrey)

Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser. (Pierre)

Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829) (Dmitry)

Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei Nigmatulin)

Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.

Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre)

Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (Ilia)

Fixed a buffer overflow inside user_filter_factory_create(). (Ilia)

Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (Stas)

answered Aug 05 '12 at 15:24

Esailija

138,174
23
272
326

So, would you check every user input size to avoid buffer overflow? – Surfer on the fall Aug 05 '12 at 15:30
@user1294101 No I wouldn't. If I knew about a buggy extension or code I would submit the bug report. You should check the size of user input as a normal validation. – Esailija Aug 05 '12 at 15:33
Thanks, but then why not checking input size is unsafe? What can a too big input do? – Surfer on the fall Aug 05 '12 at 15:38
1

@user1294101 I mean I check for input size as a normal validation routine, I.E. someone's bank account number is probably not megabytes long... Not because there might be a buffer overflow bug in `str_replace` or whatever. – Esailija Aug 05 '12 at 15:47
Thanks, same tutorial advises to use maxlength and php substr... "The browser will keep users from entering a string that's too long for PHP or MySQL to handle safely (imagine if someone tried to type in a name with 1,000 characters),". Would it be a problem? I think it's wrong. – Surfer on the fall Aug 06 '12 at 10:46
1

@Surferonthefall Don't rely on the browser to do anything for you, people can submit data to your server without using any browser. Client side is inherently untrustworthy. – Esailija Sep 10 '12 at 14:43
how to check input size in php? – Calvin Oct 04 '16 at 15:48

score 2 · Answer 2 · answered Aug 05 '12 at 15:26

2

Of course, it can happen, when calling functions that are actually written using C/C++ (that'd be all core functions).

I believe those basic functions that PHP provides have been checked for errors like buffer overflow, but you cannot know for sure when using custom extensions though.

answered Aug 05 '12 at 15:26

usoban

5,428
28
42

So, is checking every user input size a secure way? – Surfer on the fall Aug 05 '12 at 15:29
No, I wouldn't do it. If the buffer overflow occurs, it is a PHP bug and should be fixed. – usoban Aug 06 '12 at 08:21
Thanks, is data flood (let's pretend someone POSTs 50 mb of data) a problem? – Surfer on the fall Aug 06 '12 at 19:11
Can be, however maximum post size can be controlled via config flag post_max_size (see http://www.php.net/manual/en/ini.core.php#ini.post-max-size) – usoban Aug 07 '12 at 10:53
currently I have memory_limit set to 54 mb, which affects post_max_size... Do you think is that a good limit? Thanks again – Surfer on the fall Aug 07 '12 at 19:34
memory_limit is totally up to you and requirements of your application; you may need more memory if app is memory intensive, or face fatal errors when memory runs out. post_max_size is specifically there to distinguish between overall memory consumption and max post data size. – usoban Aug 08 '12 at 07:49

score 0 · Answer 3 · answered Aug 05 '12 at 15:27

0

Sure its 'possible.' The question I would be more interested in is where do you think the attack vector is to do this (an upatched php bug, etc). Also, i would think this is a much less likely target for exploit than other security issues.

answered Aug 05 '12 at 15:27

Ray

40,256
21
101
138

I'd want to know if checking every user input size is a good idea. – Surfer on the fall Aug 05 '12 at 15:28

Is PHP buffer overflow possible?

3 Answers3