]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0833429)
Fix potential segfault in dns_get_record()
authorSara Golemon <pollita@php.net>
Tue, 10 Jun 2014 18:18:02 +0000 (11:18 -0700)
committerStanislav Malyshev <stas@php.net>
Fri, 13 Jun 2014 23:42:55 +0000 (16:42 -0700)
If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.

ext/standard/dns.c patch | blob | history

diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 8e24a817ffc6ef8efd3a34befe0847007d7eaa59..67ea459ea223fc87b04df17df09d58be9e30aba6 100644 (file)
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -507,6 +507,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
                                
                                while (ll < dlen) {
                                        n = cp[ll];
+                                       if ((ll + n) >= dlen) {
+                                               // Invalid chunk length, truncate
+                                               n = dlen - (ll + 1);
+                                       }
                                        memcpy(tp + ll , cp + ll + 1, n);
                                        add_next_index_stringl(entries, cp + ll + 1, n, 1);
                                        ll = ll + n + 1;
Unnamed repository; edit this file 'description' to name the repository.