sockets.c

Felipe Pena Mon, 23 May 2011 17:06:09 -0700

felipe                                   Tue, 24 May 2011 00:05:50 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=311369


Log:
- Fixed stack buffer overflow in socket_connect().
  Found by: Mateusz Kocielski, Marek Kroemeke and Filip Palian

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/sockets/sockets.c
    U   php/php-src/branches/PHP_5_4/ext/sockets/sockets.c
    U   php/php-src/trunk/ext/sockets/sockets.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2011-05-23 23:51:28 UTC (rev 311368)
+++ php/php-src/branches/PHP_5_3/NEWS   2011-05-24 00:05:50 UTC (rev 311369)
@@ -118,6 +118,8 @@
   . Fixed bug #54312 (soap_version logic bug). (tom at samplonius dot org)

 - Sockets extension:
+  . Fixed stack buffer overflow in socket_connect().
+    Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
   . Changed socket_set_block() and socket_set_nonblock() so they emit warnings
     on error. (Gustavo)
   . Fixed bug #51958 (socket_accept() fails on IPv6 server sockets). (Gustavo)

Modified: php/php-src/branches/PHP_5_3/ext/sockets/sockets.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/sockets/sockets.c  2011-05-23 23:51:28 UTC 
(rev 311368)
+++ php/php-src/branches/PHP_5_3/ext/sockets/sockets.c  2011-05-24 00:05:50 UTC 
(rev 311369)
@@ -1336,6 +1336,11 @@
                        break;

                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Path too long", php_sock->type);
+                               RETURN_FALSE;
+                       }
+
                        memset(&s_un, 0, sizeof(struct sockaddr_un));

                        s_un.sun_family = AF_UNIX;

Modified: php/php-src/branches/PHP_5_4/ext/sockets/sockets.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/sockets/sockets.c  2011-05-23 23:51:28 UTC 
(rev 311368)
+++ php/php-src/branches/PHP_5_4/ext/sockets/sockets.c  2011-05-24 00:05:50 UTC 
(rev 311369)
@@ -1540,6 +1540,11 @@
                        break;

                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Path too long", php_sock->type);
+                               RETURN_FALSE;
+                       }
+
                        memset(&s_un, 0, sizeof(struct sockaddr_un));

                        s_un.sun_family = AF_UNIX;

Modified: php/php-src/trunk/ext/sockets/sockets.c
===================================================================
--- php/php-src/trunk/ext/sockets/sockets.c     2011-05-23 23:51:28 UTC (rev 
311368)
+++ php/php-src/trunk/ext/sockets/sockets.c     2011-05-24 00:05:50 UTC (rev 
311369)
@@ -1540,6 +1540,11 @@
                        break;

                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Path too long", php_sock->type);
+                               RETURN_FALSE;
+                       }
+
                        memset(&s_un, 0, sizeof(struct sockaddr_un));

                        s_un.sun_family = AF_UNIX;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/sockets/sockets.c branches/PHP_5_4/ext/sockets/sockets.c trunk/ext/sockets/sockets.c

Reply via email to