php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38687 Possible buffer overflow in stream_socket_client() when using "bindto" + IPv6
Submitted: 2006-09-02 00:01 UTC Modified: 2006-09-11 19:20 UTC
From: christian dot schuster at s2000 dot tu-chemnitz dot de Assigned: pollita (profile)
Status: Closed Package: Streams related
PHP Version: 5CVS-2006-09-01 (CVS) OS: Linux
Private report: No CVE-ID: None
 [2006-09-02 00:01 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de
Description:
------------
Using stream_socket_client() with a context containing a valid local IPv6 binding address does not actually bind the socket to that address, but fails silently. This is a "side effect" of a possible buffer overflow:

In main/network.c, php_network_connect_socket_to_host() uses a "struct sockaddr", and references it via a pointer to "struct sockaddr_in" or "struct sockaddr_in6". For IPv4, this is usually sufficient - for IPv6 it is not. Upon the subsequent call to inet_pton(), some memory beyond the "struct sockaddr" is accessed.

A "struct sockaddr_in" or "struct sockaddr_in6" should be used instead, depending on the protocol.

PHP6 is affected by this bug, too.

Proposed patch: http://www-user.tu-chemnitz.de/~chschu/patches/php-stream_socket_client-bind.patch


Reproduce code:
---------------
/* sample code for illegal use of struct sockaddr */

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int, char**) {
	struct sockaddr local_address;
	struct sockaddr_in6 *in6 = (struct sockaddr_in6*)&local_address;
	inet_pton(AF_INET6, "::1", &in6->sin6_addr);
}


Expected result:
----------------
Normal program termination.

Actual result:
--------------
"Segmentation fault" on inet_pton().

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-04 08:38 UTC] tony2001@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2006-09-04 21:55 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de
<?php

# create context containing binding address
$context = stream_context_create();
stream_context_set_option($context, "socket", "bindto",
	"[your:local:ipv6:address::here]");

# connect to some server
$handle = stream_socket_client("tcp://www.kame.net:80",
	$errno, $errstr, 5, STREAM_CLIENT_CONNECT,
	$context);

# print local name
echo stream_socket_get_name($handle, false);

# close connection
fclose($handle);

?>
 [2006-09-04 22:11 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de
The output of the above script does not depend on whatever "your:local:ipv6:address::here" is replaced with. It should be something like "your:local:ipv6:address::here:port" - though I'd prefer "[your:local:ipv6:address::here]:port", but that's another point.

Another thing I noticed: Appending a port number to the binding address ("[your:local:ipv6:address::here]:port") triggers a warning:

Warning: stream_socket_client(): failed to bind to 'your:local:ipv6:address::here:port', system said: Invalid argument in test.php on line 11
 [2006-09-05 15:37 UTC] pollita@php.net
Looks like you've got it pegged, though the patch needs a little work (some systems will blow out your stack'd in4/in6 structs before they reach the bind() call).  I'll apply a patch very similar to this later today when I'm somewhere that I can reasonably test that everything behaves.
 [2006-09-11 19:20 UTC] pollita@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC