Hello, all
Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc()
function.
http://www.securitylab.ru/?ID=36819
IMHO it's not integer overflow, but using of nonexisting second
parameter, just try to call:
<?php
socket_iovec_alloc(1);
?>
and you'll get segfault.
Take a look at this part of code:
ext/sockets/sockets.c
----
if (argc < 1 || zend_get_parameters_array_ex(argc, args) ==
FAILURE) { efree(args);
WRONG_PARAM_COUNT;
}
convert_to_long_ex(args[0]);
num_vectors = Z_LVAL_PP(args[0]);
vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
for (i = 0, j = 1; i < num_vectors; i++, j++) {
convert_to_long_ex(args[j]);
----
Anyone knows why this extension was not moved to PECL?
--
Wbr,
Antony Dovgal aka tony2001 mailto:[EMAIL PROTECTED]
http://phpclub.net
---
Stand for something or you will fall for nothing.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
