Fix potential segfault in dns_get_record()

If the remote sends us a packet with a malformed TXT record, we could end up trying to over-consume the packet and wander off into overruns.
author: Sara Golemon <pollita@php.net> 2014-06-10 11:18:02 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-06-15 01:04:24 -0700
commit: 21525d041369484d49781b34a8333a78798806e4 (patch)
tree: 04e2407343bb9c91f281b6f43a6d48944b9fe529
parent: 2b04d689724bdfd5db9351c017566e2f51d61568 (diff)
download: php-git-21525d041369484d49781b34a8333a78798806e4.tar.gz
2 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index f0367a8cc9..a5eaabcd6b 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary
     check). (Francisco Alonso, Jan Kaluza, Remi)
 
+- Network:
+  . Fixed bug #67432 (Fix potential segfault in dns_get_record()). 
+    (CVE-2014-4049). (Sara)
+
 - OpenSSL:
   . Fixed bug #65698 (certificates validity parsing does not work past 2050). 
     (Paul Oehler)
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 6a894467ff..214a7dc7e9 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 				
 				while (ll < dlen) {
 					n = cp[ll];
+					if ((ll + n) >= dlen) {
+						// Invalid chunk length, truncate
+						n = dlen - (ll + 1);
+					}
 					memcpy(tp + ll , cp + ll + 1, n);
 					add_next_index_stringl(entries, cp + ll + 1, n, 1);
 					ll = ll + n + 1;
author	Sara Golemon <pollita@php.net>	2014-06-10 11:18:02 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-06-15 01:04:24 -0700
commit	21525d041369484d49781b34a8333a78798806e4 (patch)
tree	04e2407343bb9c91f281b6f43a6d48944b9fe529
parent	2b04d689724bdfd5db9351c017566e2f51d61568 (diff)
download	php-git-21525d041369484d49781b34a8333a78798806e4.tar.gz