php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch dns-parser.patch for *Network Functions Bug #67717Patch version 2014-07-30 12:44 UTC Return to Bug #67717 | Download this patchThis patch is obsolete Obsoleted by patches: Patch Revisions:Developer: remi@php.net--- ext/standard/dns.c.old 2014-07-30 14:04:02.771162522 +0200 +++ ext/standard/dns.c 2014-07-30 14:30:44.187825018 +0200 @@ -412,8 +412,14 @@ #if HAVE_FULL_DNS_FUNCS +#define CHECKCP(n) do { \ + if (cp + n > end) { \ + return NULL; \ + } \ +} while (0) + /* {{{ php_parserr */ -static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) +static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray) { u_short type, class, dlen; u_long ttl; @@ -425,16 +431,18 @@ *subarray = NULL; - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2); + n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2); if (n < 0) { return NULL; } cp += n; + CHECKCP(10); GETSHORT(type, cp); GETSHORT(class, cp); GETLONG(ttl, cp); GETSHORT(dlen, cp); + CHECKCP(dlen); if (type_to_fetch != T_ANY && type != type_to_fetch) { cp += dlen; return cp; @@ -461,12 +469,14 @@ switch (type) { case DNS_T_A: + CHECKCP(4); add_assoc_string(*subarray, "type", "A", 1); snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]); add_assoc_string(*subarray, "ip", name, 1); cp += dlen; break; case DNS_T_MX: + CHECKCP(2); add_assoc_string(*subarray, "type", "MX", 1); GETSHORT(n, cp); add_assoc_long(*subarray, "pri", n); @@ -485,7 +495,7 @@ if (type == DNS_T_PTR) { add_assoc_string(*subarray, "type", "PTR", 1); } - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -506,7 +516,7 @@ break; case DNS_T_TXT: { - int ll = 0; + int l1 = 0, l2 = 0; zval *entries = NULL; add_assoc_string(*subarray, "type", "TXT", 1); @@ -515,32 +525,35 @@ MAKE_STD_ZVAL(entries); array_init(entries); - while (ll < dlen) { - n = cp[ll]; - if ((ll + n) >= dlen) { + while (l1 < dlen) { + n = cp[l1]; + if ((l1 + n) >= dlen) { // Invalid chunk length, truncate - n = dlen - (ll + 1); + n = dlen - (l1 + 1); + } + if (n) { + memcpy(tp + l2 , cp + l1 + 1, n); + add_next_index_stringl(entries, cp + l1 + 1, n, 1); } - memcpy(tp + ll , cp + ll + 1, n); - add_next_index_stringl(entries, cp + ll + 1, n, 1); - ll = ll + n + 1; + l1 = l1 + n + 1; + l2 = l2 + n; } - tp[dlen] = '\0'; + tp[l2] = '\0'; cp += dlen; - add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0); + add_assoc_stringl(*subarray, "txt", tp, l2, 0); add_assoc_zval(*subarray, "entries", entries); } break; case DNS_T_SOA: add_assoc_string(*subarray, "type", "SOA", 1); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); if (n < 0) { return NULL; } cp += n; add_assoc_string(*subarray, "mname", name, 1); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2); if (n < 0) { return NULL; } @@ -559,6 +572,7 @@ break; case DNS_T_AAAA: tp = (u_char*)name; + CHECKCP(16); for(i=0; i < 8; i++) { GETSHORT(s, cp); if (s != 0) { @@ -657,7 +671,7 @@ tp[0] = '\0'; add_assoc_string(*subarray, "ipv6", name, 1); if (cp < p + dlen) { - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -673,7 +687,7 @@ add_assoc_long(*subarray, "weight", n); GETSHORT(n, cp); add_assoc_long(*subarray, "port", n); - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -695,7 +709,7 @@ n = (cp[0] & 0xFF); add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1); cp += n; - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2); + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2); if (n < 0) { return NULL; } @@ -888,7 +902,7 @@ while (an-- && cp && cp < end) { zval *retval; - cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval); + cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval); if (retval != NULL && store_results) { add_next_index_zval(return_value, retval); } @@ -901,7 +915,7 @@ while (ns-- > 0 && cp && cp < end) { zval *retval = NULL; - cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval); + cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval); if (retval != NULL) { add_next_index_zval(authns, retval); } @@ -913,7 +927,7 @@ while (ar-- > 0 && cp && cp < end) { zval *retval = NULL; - cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval); + cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval); if (retval != NULL) { add_next_index_zval(addtl, retval); } |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Tue Dec 10 11:01:28 2024 UTC |