Add mitigation for CVE-2015-0235 (bug #68925)

author: Stanislav Malyshev <stas@php.net> 2015-01-31 18:59:18 -0800
committer: Stanislav Malyshev <stas@php.net> 2015-01-31 19:10:52 -0800
commit: 882a375dbad4ecb1fddd9dd80f1a1350299629c1 (patch)
tree: 0c80b087f5e4e32a3d13dea34094d9c177d00728
parent: 237128603f99a97da9d0d261b8d0849f27b4c7b8 (diff)
download: php-git-882a375dbad4ecb1fddd9dd80f1a1350299629c1.tar.gz
4 files changed, 9 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index 09eeb31281..88ca5ee618 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2015, PHP 5.5.22
 
+- Core:
+  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
+    buffer overflow). (Stas)
 
 - Date:
   . Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick)
diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c
index 1c1a90d58f..80807dd243 100644
--- a/ext/sockets/sockaddr_conv.c
+++ b/ext/sockets/sockaddr_conv.c
@@ -9,6 +9,10 @@
 #include <arpa/inet.h>
 #endif
 
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 255
+#endif
+
 extern int php_string_to_if_index(const char *val, unsigned *out TSRMLS_DC);
 
 #if HAVE_IPV6
@@ -90,7 +94,7 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc
 	if (inet_aton(string, &tmp)) {
 		sin->sin_addr.s_addr = tmp.s_addr;
 	} else {
-		if (! (host_entry = gethostbyname(string))) {
+		if (strlen(string) > MAXHOSTNAMELEN || ! (host_entry = gethostbyname(string))) {
 			/* Note: < -10000 indicates a host lookup error */
 #ifdef PHP_WIN32
 			PHP_SOCKET_ERROR(php_sock, "Host lookup failed", WSAGetLastError());
diff --git a/ext/standard/string.c b/ext/standard/string.c
index cb212b49c2..410535b41c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3940,7 +3940,7 @@ static void php_str_replace_in_subject(zval *search, zval *replace, zval **subje
 														   replace_value, replace_len, &Z_STRLEN(temp_result), case_sensitivity, replace_count);
 			}
 
-           str_efree(Z_STRVAL_P(result));
+			str_efree(Z_STRVAL_P(result));
 			Z_STRVAL_P(result) = Z_STRVAL(temp_result);
 			Z_STRLEN_P(result) = Z_STRLEN(temp_result);
 
diff --git a/main/network.c b/main/network.c
index 702509a9d9..c93e366cc6 100644
--- a/main/network.c
+++ b/main/network.c
@@ -27,7 +27,6 @@
 #include <errno.h>
 
 
-
 #ifdef PHP_WIN32
 # include <Ws2tcpip.h>
 # include "win32/inet.h"
author	Stanislav Malyshev <stas@php.net>	2015-01-31 18:59:18 -0800
committer	Stanislav Malyshev <stas@php.net>	2015-01-31 19:10:52 -0800
commit	882a375dbad4ecb1fddd9dd80f1a1350299629c1 (patch)
tree	0c80b087f5e4e32a3d13dea34094d9c177d00728
parent	237128603f99a97da9d0d261b8d0849f27b4c7b8 (diff)
download	php-git-882a375dbad4ecb1fddd9dd80f1a1350299629c1.tar.gz