php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38687 Possible buffer overflow in stream_socket_client() when using "bindto" + IPv6
Submitted: 2006-09-02 00:01 UTC Modified: 2006-09-11 19:20 UTC
From: christian dot schuster at s2000 dot tu-chemnitz dot de Assigned: pollita (profile)
Status: Closed Package: Streams related
PHP Version: 5CVS-2006-09-01 (CVS) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: christian dot schuster at s2000 dot tu-chemnitz dot de
New email:
PHP Version: OS:

 

 [2006-09-02 00:01 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de 
Description:
------------
Using stream_socket_client() with a context containing a valid local IPv6 binding address does not actually bind the socket to that address, but fails silently. This is a "side effect" of a possible buffer overflow:

In main/network.c, php_network_connect_socket_to_host() uses a "struct sockaddr", and references it via a pointer to "struct sockaddr_in" or "struct sockaddr_in6". For IPv4, this is usually sufficient - for IPv6 it is not. Upon the subsequent call to inet_pton(), some memory beyond the "struct sockaddr" is accessed.

A "struct sockaddr_in" or "struct sockaddr_in6" should be used instead, depending on the protocol.

PHP6 is affected by this bug, too.

Proposed patch: http://www-user.tu-chemnitz.de/~chschu/patches/php-stream_socket_client-bind.patch


Reproduce code:
---------------
/* sample code for illegal use of struct sockaddr */

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int, char**) {
	struct sockaddr local_address;
	struct sockaddr_in6 *in6 = (struct sockaddr_in6*)&local_address;
	inet_pton(AF_INET6, "::1", &in6->sin6_addr);
}


Expected result:
----------------
Normal program termination.

Actual result:
--------------
"Segmentation fault" on inet_pton().

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-04 08:38 UTC] tony2001@php.net 
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.
 [2006-09-04 21:55 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de 
<?php

# create context containing binding address
$context = stream_context_create();
stream_context_set_option($context, "socket", "bindto",
	"[your:local:ipv6:address::here]");

# connect to some server
$handle = stream_socket_client("tcp://www.kame.net:80",
	$errno, $errstr, 5, STREAM_CLIENT_CONNECT,
	$context);

# print local name
echo stream_socket_get_name($handle, false);

# close connection
fclose($handle);

?>
 [2006-09-04 22:11 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de 
The output of the above script does not depend on whatever "your:local:ipv6:address::here" is replaced with. It should be something like "your:local:ipv6:address::here:port" - though I'd prefer "[your:local:ipv6:address::here]:port", but that's another point.

Another thing I noticed: Appending a port number to the binding address ("[your:local:ipv6:address::here]:port") triggers a warning:

Warning: stream_socket_client(): failed to bind to 'your:local:ipv6:address::here:port', system said: Invalid argument in test.php on line 11
 [2006-09-05 15:37 UTC] pollita@php.net 
Looks like you've got it pegged, though the patch needs a little work (some systems will blow out your stack'd in4/in6 structs before they reach the bind() call).  I'll apply a patch very similar to this later today when I'm somewhere that I can reasonably test that everything behaves.
 [2006-09-11 19:20 UTC] pollita@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC