aboutsummaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch')
-rw-r--r--meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch282
1 files changed, 0 insertions, 282 deletions
diff --git a/meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch b/meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch
deleted file mode 100644
index 73f4e32c64..0000000000
--- a/meta-webserver/recipes-php/modphp/files/php-CVE-2014-3597.patch
+++ /dev/null
@@ -1,282 +0,0 @@
-modphp: Security Advisory - php - CVE-2014-3597
-
-Upstream-Status: Backport
-
-Signed-off-by: Yue Tao <yue.tao@windriver.com>
-
-From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@php.net>
-Date: Tue, 19 Aug 2014 08:33:49 +0200
-Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record
- CVE-2014-3597
-
-Incomplete fix for CVE-2014-4049
-
-Check possible buffer overflow
-- pass real buffer end to dn_expand calls
-- check buffer len before each read
----
- ext/standard/dns.c | 84 +++++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 60 insertions(+), 24 deletions(-)
-
-diff --git a/ext/standard/dns.c b/ext/standard/dns.c
-index 214a7dc..0b5e69c 100644
---- a/ext/standard/dns.c
-+++ b/ext/standard/dns.c
-@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
-
- #if HAVE_FULL_DNS_FUNCS
-
-+#define CHECKCP(n) do { \
-+ if (cp + n > end) { \
-+ return NULL; \
-+ } \
-+} while (0)
-+
- /* {{{ php_parserr */
--static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
-+static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
- {
- u_short type, class, dlen;
- u_long ttl;
-@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
-
- *subarray = NULL;
-
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
-+ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
- if (n < 0) {
- return NULL;
- }
- cp += n;
-
-+ CHECKCP(10);
- GETSHORT(type, cp);
- GETSHORT(class, cp);
- GETLONG(ttl, cp);
- GETSHORT(dlen, cp);
-+ CHECKCP(dlen);
- if (type_to_fetch != T_ANY && type != type_to_fetch) {
- cp += dlen;
- return cp;
-@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
-
- switch (type) {
- case DNS_T_A:
-+ CHECKCP(4);
- add_assoc_string(*subarray, "type", "A", 1);
- snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
- add_assoc_string(*subarray, "ip", name, 1);
- cp += dlen;
- break;
- case DNS_T_MX:
-+ CHECKCP(2);
- add_assoc_string(*subarray, "type", "MX", 1);
- GETSHORT(n, cp);
- add_assoc_long(*subarray, "pri", n);
-@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- if (type == DNS_T_PTR) {
- add_assoc_string(*subarray, "type", "PTR", 1);
- }
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
- if (n < 0) {
- return NULL;
- }
-@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- case DNS_T_HINFO:
- /* See RFC 1010 for values */
- add_assoc_string(*subarray, "type", "HINFO", 1);
-+ CHECKCP(1);
- n = *cp & 0xFF;
- cp++;
-+ CHECKCP(n);
- add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
- cp += n;
-+ CHECKCP(1);
- n = *cp & 0xFF;
- cp++;
-+ CHECKCP(n);
- add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
- cp += n;
- break;
- case DNS_T_TXT:
- {
-- int ll = 0;
-+ int l1 = 0, l2 = 0;
- zval *entries = NULL;
-
- add_assoc_string(*subarray, "type", "TXT", 1);
-@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- MAKE_STD_ZVAL(entries);
- array_init(entries);
-
-- while (ll < dlen) {
-- n = cp[ll];
-- if ((ll + n) >= dlen) {
-+ while (l1 < dlen) {
-+ n = cp[l1];
-+ if ((l1 + n) >= dlen) {
- // Invalid chunk length, truncate
-- n = dlen - (ll + 1);
-+ n = dlen - (l1 + 1);
-+ }
-+ if (n) {
-+ memcpy(tp + l2 , cp + l1 + 1, n);
-+ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
- }
-- memcpy(tp + ll , cp + ll + 1, n);
-- add_next_index_stringl(entries, cp + ll + 1, n, 1);
-- ll = ll + n + 1;
-+ l1 = l1 + n + 1;
-+ l2 = l2 + n;
- }
-- tp[dlen] = '\0';
-+ tp[l2] = '\0';
- cp += dlen;
-
-- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
-+ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
- add_assoc_zval(*subarray, "entries", entries);
- }
- break;
- case DNS_T_SOA:
- add_assoc_string(*subarray, "type", "SOA", 1);
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
- if (n < 0) {
- return NULL;
- }
- cp += n;
- add_assoc_string(*subarray, "mname", name, 1);
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
- if (n < 0) {
- return NULL;
- }
- cp += n;
- add_assoc_string(*subarray, "rname", name, 1);
-+ CHECKCP(5*4);
- GETLONG(n, cp);
- add_assoc_long(*subarray, "serial", n);
- GETLONG(n, cp);
-@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- break;
- case DNS_T_AAAA:
- tp = (u_char*)name;
-+ CHECKCP(8*2);
- for(i=0; i < 8; i++) {
- GETSHORT(s, cp);
- if (s != 0) {
-@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- case DNS_T_A6:
- p = cp;
- add_assoc_string(*subarray, "type", "A6", 1);
-+ CHECKCP(1);
- n = ((int)cp[0]) & 0xFF;
- cp++;
- add_assoc_long(*subarray, "masklen", n);
-@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- cp++;
- }
- for (i = (n + 8) / 16; i < 8; i++) {
-+ CHECKCP(2);
- GETSHORT(s, cp);
- if (s != 0) {
- if (tp > (u_char *)name) {
-@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- tp[0] = '\0';
- add_assoc_string(*subarray, "ipv6", name, 1);
- if (cp < p + dlen) {
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
- if (n < 0) {
- return NULL;
- }
-@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- }
- break;
- case DNS_T_SRV:
-+ CHECKCP(3*2);
- add_assoc_string(*subarray, "type", "SRV", 1);
- GETSHORT(n, cp);
- add_assoc_long(*subarray, "pri", n);
-@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- add_assoc_long(*subarray, "weight", n);
- GETSHORT(n, cp);
- add_assoc_long(*subarray, "port", n);
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
- if (n < 0) {
- return NULL;
- }
-@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
- add_assoc_string(*subarray, "target", name, 1);
- break;
- case DNS_T_NAPTR:
-+ CHECKCP(2*2);
- add_assoc_string(*subarray, "type", "NAPTR", 1);
- GETSHORT(n, cp);
- add_assoc_long(*subarray, "order", n);
- GETSHORT(n, cp);
- add_assoc_long(*subarray, "pref", n);
-+
-+ CHECKCP(1);
- n = (cp[0] & 0xFF);
-- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
-+ cp++;
-+ CHECKCP(n);
-+ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
- cp += n;
-+
-+ CHECKCP(1);
- n = (cp[0] & 0xFF);
-- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
-+ cp++;
-+ CHECKCP(n);
-+ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
- cp += n;
-+
-+ CHECKCP(1);
- n = (cp[0] & 0xFF);
-- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
-+ cp++;
-+ CHECKCP(n);
-+ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
- cp += n;
-- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
-+
-+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
- if (n < 0) {
- return NULL;
- }
-@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
- while (an-- && cp && cp < end) {
- zval *retval;
-
-- cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval);
-+ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval);
- if (retval != NULL && store_results) {
- add_next_index_zval(return_value, retval);
- }
-@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
- while (ns-- > 0 && cp && cp < end) {
- zval *retval = NULL;
-
-- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
-+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
- if (retval != NULL) {
- add_next_index_zval(authns, retval);
- }
-@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
- while (ar-- > 0 && cp && cp < end) {
- zval *retval = NULL;
-
-- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval);
-+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval);
- if (retval != NULL) {
- add_next_index_zval(addtl, retval);
- }
---
-1.7.9.5
-
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-19 06:45:02 +0000