]> granicus.if.org Git - php/commitdiff
- Fixed stack buffer overflow in socket_connect().
authorFelipe Pena <felipe@php.net>
Tue, 24 May 2011 00:05:50 +0000 (00:05 +0000)
committerFelipe Pena <felipe@php.net>
Tue, 24 May 2011 00:05:50 +0000 (00:05 +0000)
  Found by: Mateusz Kocielski, Marek Kroemeke and Filip Palian

NEWS
ext/sockets/sockets.c

diff --git a/NEWS b/NEWS
index f0cd89ba6707e2aa666970fb8d59ae52d28167ba..d555f020d52428578853b863f86373f8d901c095 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -118,6 +118,8 @@ PHP                                                                        NEWS
   . Fixed bug #54312 (soap_version logic bug). (tom at samplonius dot org)
 
 - Sockets extension:
+  . Fixed stack buffer overflow in socket_connect().
+    Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
   . Changed socket_set_block() and socket_set_nonblock() so they emit warnings
     on error. (Gustavo)
   . Fixed bug #51958 (socket_accept() fails on IPv6 server sockets). (Gustavo)
index 91ae979827c20fca44de18a26a35ef7c27f8c42d..048afe1c5f1df604e265fb597c1127ee5bff2297 100644 (file)
@@ -1336,6 +1336,11 @@ PHP_FUNCTION(socket_connect)
                        break;
 
                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
+                               RETURN_FALSE;
+                       }
+                               
                        memset(&s_un, 0, sizeof(struct sockaddr_un));
 
                        s_un.sun_family = AF_UNIX;