Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:296
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14200 invoked from network); 26 Mar 2003 09:30:05 -0000
Received: from unknown (HELO www.lerdorf.com) (66.93.78.119)
  by pb1.pair.com with SMTP; 26 Mar 2003 09:30:05 -0000
Received: from DELL.lerdorf.com (12-235-53-226.client.attbi.com [12.235.53.226])
	by www.lerdorf.com (8.12.8/8.12.8/Debian-2) with ESMTP id h2Q9U2ld012971
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
	Wed, 26 Mar 2003 01:30:02 -0800
Date: Wed, 26 Mar 2003 01:30:11 -0800 (Pacific Standard Time)
To: Antony Dovgal <tony2001@phpclub.net>
cc: internals@lists.php.net
In-Reply-To: <20030326112602.4479ad59.tony2001@phpclub.net>
Message-ID: <Pine.WNT.4.53.0303260126190.1812@DELL>
References: <20030326112602.4479ad59.tony2001@phpclub.net>
X-X-Sender: rasmus@lerdorf.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] socket_iovec_alloc segfault && security advisory
From: rasmus@lerdorf.com (Rasmus Lerdorf)

It isn't an overflow, in that particular case, but there are other parts
of the sockets extension where negative values can make their way to an
emalloc() call, and I suppose you could call that an integer overflow.  I
don't see how it is in any way exploitable.

-Rasmus

On Wed, 26 Mar 2003, Antony Dovgal wrote:

> Hello, all
>
> Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc()
> function.
> http://www.securitylab.ru/?ID=36819
>
>
> IMHO it's not integer overflow, but using of nonexisting second
> parameter, just try to call:
> <?php
>   socket_iovec_alloc(1);
> ?>
>
> and you'll get segfault.
>
>
> Take a look at this part of code:
> ext/sockets/sockets.c
> ----
>         if (argc < 1 || zend_get_parameters_array_ex(argc, args) ==
> FAILURE) {                efree(args);
>                 WRONG_PARAM_COUNT;
>         }
>
>         convert_to_long_ex(args[0]);
>         num_vectors = Z_LVAL_PP(args[0]);
>
>         vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
>
>         for (i = 0, j = 1; i < num_vectors; i++, j++) {
>                 convert_to_long_ex(args[j]);
> ----
>
>
> Anyone knows why this extension was not moved to PECL?
>
> --
> Wbr,
> Antony Dovgal aka tony2001	mailto:tony2001@phpclub.net
> http://phpclub.net
> ---
> Stand for something or you will fall for nothing.
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>