|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2002-12-02 09:21 UTC] kalowsky@php.net
[2002-12-15 04:06 UTC] sniper@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue May 07 15:01:36 2024 UTC |
Hi, I found two bugs on the imap handling functions in PHP 4.2.3: - If a message contains a header with empty contents (like Reply-to: <> or Sender: <>), the web server running php crashes whenever a script tries to parse this message. I ran Apache 1.3.26 compiled agains ElectricFence and found out that the bug is on _php_make_header_object: if thethe header contents are empty, _php_imap_parse_address won't allocate memory for fulladdress, but the function will call free() on fulladdress nevertheless.This leads to heap corruption and subsequent segmentation fault. - It seems like _php_imap_address_size doesn't compute the header size correctly. If the number of addresses in a field is very large, this leads to a buffer overflow in c-client's rfc822_address. My setup is: Apache 1.3.26 PHP 4.2.3 compiled as a DSO with the following options: /configure --prefix=/data/www/consumer/conf --enable-track-vars --with-imap=/usr/local/app/imap-2002 --with-ldap=/usr/local/app/openldap --with-oracle=/usr/local/app/oracle_client --with-oci8=/usr/local/app/oracle_client --with-apxs=/data/www/consumer/bin/apxs --with-msession=/usr/local/app/phoenix --with-mysql --with-openssl=/usr/local/app/openssl --with-xml --with-curl=/usr/local/app/curl Test messages: - For the first bug: any message with a header field with empty contents (like Sender: <> ) - For the second bug: any message with a large(In my test there were 500) number of recipients on the To: or Cc: fields. Backtrace for the first bug: 0x4009fa01 in __kill () at __kill:-1 #1 0x0809a69d in EF_Abort (pattern=0x80aa540 "free(%a): address not from malloc().") at print.c:137 #2 0x08099f2a in free (address=0x4eacabcc) at efence.c:632 #3 0x404cc5b3 in _php_make_header_object (myzvalue=0x4ec6ffec, en=0x4ee32fbc) at php_imap.c:3724 #4 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4ec6ffec, this_ptr=0x0, return_value_used=1) at php_imap.c:1631 #5 0x40482e39 in execute (op_array=0x463affa4) at ./zend_execute.c:1598 #6 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:812 #7 0x404a63b6 in php_execute_script (primary_file=0xbffff6b0) at main.c:1383 #8 0x404a0dbe in apache_php_module_main (r=0x445b9028, display_source_mode=0) at sapi_apache.c:90 #9 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0, filename=0x445bacc8 "/data/www/consumer/htdocs/memail/mailbox.php3") at mod_php4.c:575 #10 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590 #11 0x08055287 in ap_invoke_handler () #12 0x0806a307 in process_request_internal () #13 0x0806a368 in ap_process_request () #14 0x08061289 in child_main () #15 0x08061458 in make_child () #16 0x080615cc in startup_children () #17 0x08061c44 in standalone_main () #18 0x080624c3 in main () #19 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2, ubp_av=0xbffffae4, init=0x804f718 <_init>, fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffadc) at ../sysdeps/generic/libc-start.c:129 Backtrace for the second bug: #0 0x400f68f7 in strcat () at strcat:-1 #1 0x4f5e7fe8 in ?? () #2 0x405b74b9 in rfc822_write_address_full ( dest=0x4faa36a8 "\"address4use@yahoo.com\" <address4use@yahoo.com>, \"adriandoherty45@hotmail.com\" <adriandoherty45@hotmail.com>, \"agibso16@caledonian.ac.uk\" <agibso16@caledonian.ac.uk>, \"agrego10@caledonian.ac.uk\" <agre"..., adr=0x4eea7fe8, base=0x0) at rfc822.c:193 #3 0x404cbce6 in _php_imap_parse_address (addresslist=0x4eea7fe8, fulladdress=0xbfff472c, paddress=0x4f6eafec) at php_imap.c:3626 #4 0x404cc173 in _php_make_header_object (myzvalue=0x4f6adfec, en=0x4eba5fbc) at php_imap.c:3667 #5 0x404c186b in zif_imap_headerinfo (ht=2, return_value=0x4f6adfec, this_ptr=0x0, return_value_used=1) at php_imap.c:1631 #6 0x40482e39 in execute (op_array=0x446b1fa4) at ./zend_execute.c:1598 #7 0x40493b2c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:812 #8 0x404a63b6 in php_execute_script (primary_file=0xbffff6d0) at main.c:1383 #9 0x404a0dbe in apache_php_module_main (r=0x445b9028, display_source_mode=0) at sapi_apache.c:90 #10 0x404a1c2c in send_php (r=0x445b9028, display_source_mode=0, filename=0x445bace8 "/data/www/consumer/htdocs/memail/mailbox.php3") at mod_php4.c:575 #11 0x404a1c99 in send_parsed_php (r=0x445b9028) at mod_php4.c:590 #12 0x08055287 in ap_invoke_handler () #13 0x0806a307 in process_request_internal () #14 0x0806a368 in ap_process_request () #15 0x08061289 in child_main () #16 0x08061458 in make_child () #17 0x080615cc in startup_children () #18 0x08061c44 in standalone_main () #19 0x080624c3 in main () #20 0x4008d507 in __libc_start_main (main=0x8062100 <main>, argc=2, ubp_av=0xbffffb04, init=0x804f718 <_init>, fini=0x809a8f0 <_fini>, rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffafc) at ../sysdeps/generic/libc-start.c:129