felipe Tue, 24 May 2011 00:05:50 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=311369
Log: - Fixed stack buffer overflow in socket_connect(). Found by: Mateusz Kocielski, Marek Kroemeke and Filip Palian Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/sockets/sockets.c U php/php-src/branches/PHP_5_4/ext/sockets/sockets.c U php/php-src/trunk/ext/sockets/sockets.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-05-23 23:51:28 UTC (rev 311368) +++ php/php-src/branches/PHP_5_3/NEWS 2011-05-24 00:05:50 UTC (rev 311369) @@ -118,6 +118,8 @@ . Fixed bug #54312 (soap_version logic bug). (tom at samplonius dot org) - Sockets extension: + . Fixed stack buffer overflow in socket_connect(). + Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe) . Changed socket_set_block() and socket_set_nonblock() so they emit warnings on error. (Gustavo) . Fixed bug #51958 (socket_accept() fails on IPv6 server sockets). (Gustavo) Modified: php/php-src/branches/PHP_5_3/ext/sockets/sockets.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/sockets/sockets.c 2011-05-23 23:51:28 UTC (rev 311368) +++ php/php-src/branches/PHP_5_3/ext/sockets/sockets.c 2011-05-24 00:05:50 UTC (rev 311369) @@ -1336,6 +1336,11 @@ break; case AF_UNIX: + if (addr_len >= sizeof(s_un.sun_path)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); + RETURN_FALSE; + } + memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; Modified: php/php-src/branches/PHP_5_4/ext/sockets/sockets.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/sockets/sockets.c 2011-05-23 23:51:28 UTC (rev 311368) +++ php/php-src/branches/PHP_5_4/ext/sockets/sockets.c 2011-05-24 00:05:50 UTC (rev 311369) @@ -1540,6 +1540,11 @@ break; case AF_UNIX: + if (addr_len >= sizeof(s_un.sun_path)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); + RETURN_FALSE; + } + memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; Modified: php/php-src/trunk/ext/sockets/sockets.c =================================================================== --- php/php-src/trunk/ext/sockets/sockets.c 2011-05-23 23:51:28 UTC (rev 311368) +++ php/php-src/trunk/ext/sockets/sockets.c 2011-05-24 00:05:50 UTC (rev 311369) @@ -1540,6 +1540,11 @@ break; case AF_UNIX: + if (addr_len >= sizeof(s_un.sun_path)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); + RETURN_FALSE; + } + memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php