|
|
Out-of-bounds read in php_parserr with user-supplied dlen | |||||
| Reported by groebert@google.com, Aug 7 2014 | Back to list | |||||
In ext/standard/dns.c, php_parserr parses a DNS response. php_parserr reads a (ushort) dlen from the DNS response (the RDLENGTH field) and, if raw is true, uses dlen for calculating the length of the string "data" in the return array. Since dlen is supplied in the DNS response you can read and leak up to 2^16 - 4 bytes past the buffer. Instead of dlen, it would be better to use the variable "end" from the calling function dns_get_record. I haven't checked whether there are popular open-source projects using the "raw" boolean. However, note that the fix for CVE-2014-4049 is incomplete because it also relies on dlen for bounds checking.
Comment 1
by
fjserna@google.com,
Aug 7 2014
,
Aug 8 2014
PHP confirms the report. It is a known, private bug (https://bugs.php.net/bug.php?id=67717) and targeted at the next release (5.4.32).
,
Oct 6 2014
CVE-2014-3597 Fixed: https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05 Released 21 Aug 2014: http://php.net/ChangeLog-5.php
,
Oct 6 2014
Changing status to Fixed, as that's what we use in general. Add Fixed label to denote date patch was available. Derestricting because it was fixed ages ago.
,
Oct 6 2014
Actually, put restriction back until I check in with @groebert if he wants publish his reports in general.
,
Oct 10 2014
|
||||||
| ► Sign in to add a comment | ||||||