1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
From: Sara Golemon <pollita@php.net>
Date: Tue, 10 Jun 2014 11:18:02 -0700
Subject: [PATCH] Fix potential segfault in dns_get_record()
If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.
---
ext/standard/dns.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 6a89446..214a7dc 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
while (ll < dlen) {
n = cp[ll];
+ if ((ll + n) >= dlen) {
+ // Invalid chunk length, truncate
+ n = dlen - (ll + 1);
+ }
memcpy(tp + ll , cp + ll + 1, n);
add_next_index_stringl(entries, cp + ll + 1, n, 1);
ll = ll + n + 1;
--
1.9.3
|
