It isn't an overflow, in that particular case, but there are other parts of the sockets extension where negative values can make their way to an emalloc() call, and I suppose you could call that an integer overflow. I don't see how it is in any way exploitable.
-Rasmus On Wed, 26 Mar 2003, Antony Dovgal wrote: > Hello, all > > Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() > function. > http://www.securitylab.ru/?ID=36819 > > > IMHO it's not integer overflow, but using of nonexisting second > parameter, just try to call: > <?php > socket_iovec_alloc(1); > ?> > > and you'll get segfault. > > > Take a look at this part of code: > ext/sockets/sockets.c > ---- > if (argc < 1 || zend_get_parameters_array_ex(argc, args) == > FAILURE) { efree(args); > WRONG_PARAM_COUNT; > } > > convert_to_long_ex(args[0]); > num_vectors = Z_LVAL_PP(args[0]); > > vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1)); > > for (i = 0, j = 1; i < num_vectors; i++, j++) { > convert_to_long_ex(args[j]); > ---- > > > Anyone knows why this extension was not moved to PECL? > > -- > Wbr, > Antony Dovgal aka tony2001 mailto:[EMAIL PROTECTED] > http://phpclub.net > --- > Stand for something or you will fall for nothing. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
