Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:295
Return-Path: <tony2001@phpclub.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10941 invoked from network); 26 Mar 2003 09:25:16 -0000
Received: from unknown (HELO pa.ktts.kharkov.ua) (193.124.76.197)
  by pb1.pair.com with SMTP; 26 Mar 2003 09:25:16 -0000
Received: from tony.ace ([10.0.1.7])
	by pa.ktts.kharkov.ua (8.11.6/8.11.6) with SMTP id h2Q9P5W12265
	for <internals@lists.php.net>; Wed, 26 Mar 2003 11:25:06 +0200
Date: Wed, 26 Mar 2003 11:26:02 +0200
To: internals@lists.php.net
Message-ID: <20030326112602.4479ad59.tony2001@phpclub.net>
X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: socket_iovec_alloc segfault && security advisory
From: tony2001@phpclub.net (Antony Dovgal)

Hello, all

Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc()
function.
http://www.securitylab.ru/?ID=36819


IMHO it's not integer overflow, but using of nonexisting second
parameter, just try to call:
<?php
  socket_iovec_alloc(1);
?>

and you'll get segfault.


Take a look at this part of code:
ext/sockets/sockets.c
----
        if (argc < 1 || zend_get_parameters_array_ex(argc, args) ==
FAILURE) {                efree(args);
                WRONG_PARAM_COUNT;
        }

        convert_to_long_ex(args[0]);
        num_vectors = Z_LVAL_PP(args[0]);

        vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));

        for (i = 0, j = 1; i < num_vectors; i++, j++) {
                convert_to_long_ex(args[j]);
----


Anyone knows why this extension was not moved to PECL?

--
Wbr,
Antony Dovgal aka tony2001	mailto:tony2001@phpclub.net
http://phpclub.net
---
Stand for something or you will fall for nothing.