diff options
author | Sara Golemon <pollita@php.net> | 2014-06-10 11:18:02 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-06-15 01:04:24 -0700 |
commit | 21525d041369484d49781b34a8333a78798806e4 (patch) | |
tree | 04e2407343bb9c91f281b6f43a6d48944b9fe529 | |
parent | 2b04d689724bdfd5db9351c017566e2f51d61568 (diff) | |
download | php-git-21525d041369484d49781b34a8333a78798806e4.tar.gz |
Fix potential segfault in dns_get_record()
If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/standard/dns.c | 4 |
2 files changed, 8 insertions, 0 deletions
@@ -31,6 +31,10 @@ PHP NEWS . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi) +- Network: + . Fixed bug #67432 (Fix potential segfault in dns_get_record()). + (CVE-2014-4049). (Sara) + - OpenSSL: . Fixed bug #65698 (certificates validity parsing does not work past 2050). (Paul Oehler) diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 6a894467ff..214a7dc7e9 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int while (ll < dlen) { n = cp[ll]; + if ((ll + n) >= dlen) { + // Invalid chunk length, truncate + n = dlen - (ll + 1); + } memcpy(tp + ll , cp + ll + 1, n); add_next_index_stringl(entries, cp + ll + 1, n, 1); ll = ll + n + 1; |