Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
>
php-5.3.29
> php-CVE-2014-3597.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-CVE-2014-3597.patch of Package php-5.3.29
From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001 From: Remi Collet <remi@php.net> Date: Tue, 19 Aug 2014 08:33:49 +0200 Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 Incomplete fix for CVE-2014-4049 Check possible buffer overflow - pass real buffer end to dn_expand calls - check buffer len before each read --- ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 60 insertions(+), 24 deletions(-) Index: ext/standard/dns.c =================================================================== --- ext/standard/dns.c.orig 2014-09-09 11:30:36.342448937 +0200 +++ ext/standard/dns.c 2014-09-09 11:44:59.066434153 +0200 @@ -412,8 +412,14 @@ #if HAVE_FULL_DNS_FUNCS +#define CHECKCP(n) do { \ + if (cp + n > end) { \ + return NULL; \ + } \ +} while (0) + /* {{{ php_parserr */ -static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray) +static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray) { u_short type, class, dlen; u_long ttl; @@ -425,16 +431,18 @@ *subarray = NULL; - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); + n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); if (n < 0) { return NULL; } cp += n; + CHECKCP(10); GETSHORT(type, cp); GETSHORT(class, cp); GETLONG(ttl, cp); GETSHORT(dlen, cp); + CHECKCP(dlen); if (type_to_fetch != T_ANY && type != type_to_fetch) { cp += dlen; return cp; @@ -451,12 +459,14 @@ add_assoc_string(*subarray, "host", name, 1); switch (type) { case DNS_T_A: + CHECKCP(4); add_assoc_string(*subarray, "type", "A", 1); snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); add_assoc_string(*subarray, "ip", name, 1); cp += dlen; break; case DNS_T_MX: + CHECKCP(2); add_assoc_string(*subarray, "type", "MX", 1); GETSHORT(n, cp); add_assoc_long(*subarray, "pri", n); @@ -475,7 +485,7 @@ if (type == DNS_T_PTR) { add_assoc_string(*subarray, "type", "PTR", 1); } - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -485,18 +495,22 @@ case DNS_T_HINFO: /* See RFC 1010 for values */ add_assoc_string(*subarray, "type", "HINFO", 1); + CHECKCP(1); n = *cp & 0xFF; cp++; + CHECKCP(n); add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1); cp += n; + CHECKCP(1); n = *cp & 0xFF; cp++; + CHECKCP(n); add_assoc_stringl(*subarray, "os", (char*)cp, n, 1); cp += n; break; case DNS_T_TXT: { - int ll = 0; + int l1 = 0, l2 = 0; zval *entries = NULL; add_assoc_string(*subarray, "type", "TXT", 1); @@ -505,37 +519,41 @@ MAKE_STD_ZVAL(entries); array_init(entries); - while (ll < dlen) { - n = cp[ll]; - if ((ll + n) >= dlen) { + while (l1 < dlen) { + n = cp[l1]; + if ((l1 + n) >= dlen) { // Invalid chunk length, truncate - n = dlen - (ll + 1); + n = dlen - (l1 + 1); } - memcpy(tp + ll , cp + ll + 1, n); - add_next_index_stringl(entries, cp + ll + 1, n, 1); - ll = ll + n + 1; + if (n) { + memcpy(tp + l2 , cp + l1 + 1, n); + add_next_index_stringl(entries, cp + l1 + 1, n, 1); + } + l1 = l1 + n + 1; + l2 = l2 + n; } - tp[dlen] = '\0'; + tp[l2] = '\0'; cp += dlen; - add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0); + add_assoc_stringl(*subarray, "txt", tp, l2, 0); add_assoc_zval(*subarray, "entries", entries); } break; case DNS_T_SOA: add_assoc_string(*subarray, "type", "SOA", 1); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); if (n < 0) { return NULL; } cp += n; add_assoc_string(*subarray, "mname", name, 1); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); if (n < 0) { return NULL; } cp += n; add_assoc_string(*subarray, "rname", name, 1); + CHECKCP(5*4); GETLONG(n, cp); add_assoc_long(*subarray, "serial", n); GETLONG(n, cp); @@ -549,6 +567,7 @@ break; case DNS_T_AAAA: tp = (u_char*)name; + CHECKCP(8*2); for(i=0; i < 8; i++) { GETSHORT(s, cp); if (s != 0) { @@ -583,6 +602,7 @@ case DNS_T_A6: p = cp; add_assoc_string(*subarray, "type", "A6", 1); + CHECKCP(1); n = ((int)cp[0]) & 0xFF; cp++; add_assoc_long(*subarray, "masklen", n); @@ -618,6 +638,7 @@ cp++; } for (i = (n + 8) / 16; i < 8; i++) { + CHECKCP(2); GETSHORT(s, cp); if (s != 0) { if (tp > (u_char *)name) { @@ -647,7 +668,7 @@ tp[0] = '\0'; add_assoc_string(*subarray, "ipv6", name, 1); if (cp < p + dlen) { - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -656,6 +677,7 @@ } break; case DNS_T_SRV: + CHECKCP(3*2); add_assoc_string(*subarray, "type", "SRV", 1); GETSHORT(n, cp); add_assoc_long(*subarray, "pri", n); @@ -663,7 +685,7 @@ add_assoc_long(*subarray, "weight", n); GETSHORT(n, cp); add_assoc_long(*subarray, "port", n); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -671,21 +693,35 @@ add_assoc_string(*subarray, "target", name, 1); break; case DNS_T_NAPTR: + CHECKCP(2*2); add_assoc_string(*subarray, "type", "NAPTR", 1); GETSHORT(n, cp); add_assoc_long(*subarray, "order", n); GETSHORT(n, cp); add_assoc_long(*subarray, "pref", n); + + CHECKCP(1); n = (cp[0] & 0xFF); - add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1); + cp++; + CHECKCP(n); + add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1); cp += n; + + CHECKCP(1); n = (cp[0] & 0xFF); - add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1); + cp++; + CHECKCP(n); + add_assoc_stringl(*subarray, "services", (char*)cp, n, 1); cp += n; + + CHECKCP(1); n = (cp[0] & 0xFF); - add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1); + cp++; + CHECKCP(n); + add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1); cp += n; - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -852,7 +888,7 @@ while (an-- && cp && cp < end) { zval *retval; - cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval); + cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval); if (retval != NULL && store_results) { add_next_index_zval(return_value, retval); } @@ -865,7 +901,7 @@ while (ns-- > 0 && cp && cp < end) { zval *retval = NULL; - cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval); + cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval); if (retval != NULL) { add_next_index_zval(authns, retval); } @@ -877,7 +913,7 @@ while (ar-- > 0 && cp && cp < end) { zval *retval = NULL; - cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval); + cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval); if (retval != NULL) { add_next_index_zval(addtl, retval); }