#40600 [Asn->Bgs]: [PATCH]:getgrgid_r, getgrnam_r etc functions regression(crash)

Mon, 26 Feb 2007 07:43:27 -0800 

 ID:               40600
 Updated by:       [EMAIL PROTECTED]
 Reported By:      stas at FreeBSD dot org
-Status:           Assigned
+Status:           Bogus
 Bug Type:         POSIX related
 Operating System: FreeBSD
 PHP Version:      5.2.1
 Assigned To:      iliaa
 New Comment:

Nuno, this part of the patch has been applied 3 days ago.


Previous Comments:
------------------------------------------------------------------------

[2007-02-26 14:03:00] [EMAIL PROTECTED]

He is refering to this part of the patch:
@@ -887,6 +886,8 @@
 #ifdef HAVE_GETGRGID_R

        grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+       if (grbuflen < 0)
+               grbuflen = 1024;


so there is no check there for a negative return value.

------------------------------------------------------------------------

[2007-02-26 01:59:47] [EMAIL PROTECTED]

buflen check disallows values that are less then 1, so how 
will you ever allocate a negative value?

RETURN_FALSE will terminate the function.

------------------------------------------------------------------------

[2007-02-25 23:04:42] stas at FreeBSD dot org

The bug is still here.

------------------------------------------------------------------------

[2007-02-24 09:03:50] stas at FreeBSD dot org

> The current code is fine, we should not hardcode buffer     > sizes
if they cannot be retrieved, this could lead to       > exploitable
situations. Also if the return buffer length of > 0 it probably
indicates a problem. 

1) According to POSIX it's not a problem
2) Besides that one check is missing (take a look at patch), so you're
effectively trying to malloc (size_t)-1 bytes on FreeBSD currently,
which leads to crash.

------------------------------------------------------------------------

[2007-02-23 23:53:25] [EMAIL PROTECTED]

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The current code is fine, we should not hardcode buffer sizes 
if they cannot be retrieved, this could lead to exploitable 
situations. Also if the return buffer length of 0 it probably 
indicates a problem. 

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/40600

-- 
Edit this bug report at http://bugs.php.net/?id=40600&edit=1

Reply via email to