diff options
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/standard/dns.c | 11 | ||||
| -rw-r--r-- | ext/standard/tests/network/bug68925.phpt | 13 |
2 files changed, 24 insertions, 0 deletions
diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 7d95a22abf..bb5f9109ed 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -222,6 +222,11 @@ PHP_FUNCTION(gethostbyname) return; } + if(hostname_len > MAXHOSTNAMELEN) { + /* name too long, protect from CVE-2015-0235 */ + php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN); + RETURN_STRINGL(hostname, hostname_len, 1); + } addr = php_gethostbyname(hostname); RETVAL_STRING(addr, 0); @@ -242,6 +247,12 @@ PHP_FUNCTION(gethostbynamel) return; } + if(hostname_len > MAXHOSTNAMELEN) { + /* name too long, protect from CVE-2015-0235 */ + php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN); + RETURN_FALSE; + } + hp = gethostbyname(hostname); if (hp == NULL || hp->h_addr_list == NULL) { RETURN_FALSE; diff --git a/ext/standard/tests/network/bug68925.phpt b/ext/standard/tests/network/bug68925.phpt new file mode 100644 index 0000000000..e710d72bdf --- /dev/null +++ b/ext/standard/tests/network/bug68925.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #68925 (CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow) +--FILE-- +<?php +var_dump(gethostbyname(str_repeat("0", 2501))); +var_dump(gethostbynamel(str_repeat("0", 2501))); +?> +--EXPECTF-- +Warning: gethostbyname(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d +string(2501) "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + +Warning: gethostbynamel(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d +bool(false) |