diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-01-31 19:08:37 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-01-31 19:08:37 -0800 |
| commit | 237128603f99a97da9d0d261b8d0849f27b4c7b8 (patch) | |
| tree | b22950edbec46949e587be43acc15fa4100bd5e1 /ext | |
| parent | c8a12508c748a546d9dab14b3eb2c4a94ca279cc (diff) | |
| parent | 0f9c708229d7d4f4eff96c30cff7a2339f738511 (diff) | |
| download | php-git-237128603f99a97da9d0d261b8d0849f27b4c7b8.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Add mitigation for CVE-2015-0235 (bug #68925)
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/standard/dns.c | 11 | ||||
| -rw-r--r-- | ext/standard/tests/network/bug68925.phpt | 13 |
2 files changed, 24 insertions, 0 deletions
diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 7d95a22abf..bb5f9109ed 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -222,6 +222,11 @@ PHP_FUNCTION(gethostbyname) return; } + if(hostname_len > MAXHOSTNAMELEN) { + /* name too long, protect from CVE-2015-0235 */ + php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN); + RETURN_STRINGL(hostname, hostname_len, 1); + } addr = php_gethostbyname(hostname); RETVAL_STRING(addr, 0); @@ -242,6 +247,12 @@ PHP_FUNCTION(gethostbynamel) return; } + if(hostname_len > MAXHOSTNAMELEN) { + /* name too long, protect from CVE-2015-0235 */ + php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN); + RETURN_FALSE; + } + hp = gethostbyname(hostname); if (hp == NULL || hp->h_addr_list == NULL) { RETURN_FALSE; diff --git a/ext/standard/tests/network/bug68925.phpt b/ext/standard/tests/network/bug68925.phpt new file mode 100644 index 0000000000..e710d72bdf --- /dev/null +++ b/ext/standard/tests/network/bug68925.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #68925 (CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow) +--FILE-- +<?php +var_dump(gethostbyname(str_repeat("0", 2501))); +var_dump(gethostbynamel(str_repeat("0", 2501))); +?> +--EXPECTF-- +Warning: gethostbyname(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d +string(2501) "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + +Warning: gethostbynamel(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d +bool(false) |