mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Add mitigation for CVE-2015-0235 (bug #68925)
This commit is contained in:
parent
61ad5e24ea
commit
0f9c708229
4
NEWS
4
NEWS
@ -2,6 +2,10 @@ PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? 20?? PHP 5.4.38
|
||||
|
||||
- Core:
|
||||
. Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
|
||||
buffer overflow). (Stas)
|
||||
|
||||
22 Jan 2015 PHP 5.4.37
|
||||
- Core:
|
||||
. Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()).
|
||||
|
@ -222,6 +222,11 @@ PHP_FUNCTION(gethostbyname)
|
||||
return;
|
||||
}
|
||||
|
||||
if(hostname_len > MAXHOSTNAMELEN) {
|
||||
/* name too long, protect from CVE-2015-0235 */
|
||||
php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN);
|
||||
RETURN_STRINGL(hostname, hostname_len, 1);
|
||||
}
|
||||
addr = php_gethostbyname(hostname);
|
||||
|
||||
RETVAL_STRING(addr, 0);
|
||||
@ -242,6 +247,12 @@ PHP_FUNCTION(gethostbynamel)
|
||||
return;
|
||||
}
|
||||
|
||||
if(hostname_len > MAXHOSTNAMELEN) {
|
||||
/* name too long, protect from CVE-2015-0235 */
|
||||
php_error_docref(NULL, E_WARNING, "Host name is too long, the limit is %d characters", MAXHOSTNAMELEN);
|
||||
RETURN_FALSE;
|
||||
}
|
||||
|
||||
hp = gethostbyname(hostname);
|
||||
if (hp == NULL || hp->h_addr_list == NULL) {
|
||||
RETURN_FALSE;
|
||||
|
13
ext/standard/tests/network/bug68925.phpt
Normal file
13
ext/standard/tests/network/bug68925.phpt
Normal file
@ -0,0 +1,13 @@
|
||||
--TEST--
|
||||
Bug #68925 (CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow)
|
||||
--FILE--
|
||||
<?php
|
||||
var_dump(gethostbyname(str_repeat("0", 2501)));
|
||||
var_dump(gethostbynamel(str_repeat("0", 2501)));
|
||||
?>
|
||||
--EXPECTF--
|
||||
Warning: gethostbyname(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d
|
||||
string(2501) "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
|
||||
|
||||
Warning: gethostbynamel(): Host name is too long, the limit is 256 characters in %s/bug68925.php on line %d
|
||||
bool(false)
|
@ -24,6 +24,7 @@
|
||||
#include "php.h"
|
||||
|
||||
#include <stddef.h>
|
||||
#include <errno.h>
|
||||
|
||||
#ifdef PHP_WIN32
|
||||
# include "win32/inet.h"
|
||||
@ -102,6 +103,10 @@ const struct in6_addr in6addr_any = {0}; /* IN6ADDR_ANY_INIT; */
|
||||
# define PHP_TIMEOUT_ERROR_VALUE ETIMEDOUT
|
||||
#endif
|
||||
|
||||
#ifndef MAXHOSTNAMELEN
|
||||
#define MAXHOSTNAMELEN 255
|
||||
#endif
|
||||
|
||||
#if HAVE_GETADDRINFO
|
||||
#ifdef HAVE_GAI_STRERROR
|
||||
# define PHP_GAI_STRERROR(x) (gai_strerror(x))
|
||||
@ -243,7 +248,12 @@ PHPAPI int php_network_getaddresses(const char *host, int socktype, struct socka
|
||||
#else
|
||||
if (!inet_aton(host, &in)) {
|
||||
/* XXX NOT THREAD SAFE (is safe under win32) */
|
||||
host_info = gethostbyname(host);
|
||||
if(strlen(host) > MAXHOSTNAMELEN) {
|
||||
host_info = NULL;
|
||||
errno = E2BIG;
|
||||
} else {
|
||||
host_info = gethostbyname(host);
|
||||
}
|
||||
if (host_info == NULL) {
|
||||
if (error_string) {
|
||||
spprintf(error_string, 0, "php_network_getaddresses: gethostbyname failed. errno=%d", errno);
|
||||
|
@ -611,7 +611,11 @@ int fcgi_listen(const char *path, int backlog)
|
||||
if (sa.sa_inet.sin_addr.s_addr == INADDR_NONE) {
|
||||
struct hostent *hep;
|
||||
|
||||
hep = gethostbyname(host);
|
||||
if(strlen(host) > MAXHOSTNAMELEN) {
|
||||
hep = NULL;
|
||||
} else {
|
||||
hep = gethostbyname(host);
|
||||
}
|
||||
if (!hep || hep->h_addrtype != AF_INET || !hep->h_addr_list[0]) {
|
||||
fprintf(stderr, "Cannot resolve host name '%s'!\n", host);
|
||||
return -1;
|
||||
|
Loading…
Reference in New Issue
Block a user