TUCoPS :: Web :: PHP :: a6092.htm

PHP Integer overflow in socket_iovec_alloc() function and memory allocator
26th Mar 2003 [SBWID-6092]
COMMAND

	PHP  Integer  overflow  in  socket_iovec_alloc()  function  and   memory
	allocator

SYSTEMS AFFECTED

	PHP < 4.3.2
	
	Tested on :
	 
	 Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

PROBLEM

	In  Sir  Mordred   [mordred@s-mail.com]   of   Mordred   Security   Labs
	[http://mslabs.iwebland.com], advisories :
	
	 1
	 =
	
	In PHP emalloc() function  implements  the  error  safe  wrapper  around
	malloc(). Unfortunately this function suffers from an  integer  overflow
	and considering the fact that emalloc() is used in  many  places  around
	PHP source code, it may lead to many serious security issues.
	
	Here i will describe only a couple of minor  issues  in  a  PHP  sockets
	extension. This extension is turned off by default and to enable it  you
	should compile PHP with --enable-sockets option.
	
	* Issue 1 - Integer sign error in PHP socket_recv() function
	
	Requesting the following short script will cause a httpd  child  to  die
	with the error message - child pid <pidnum> exit signal  Segmentation
	fault (11)
	
	$ cat t1.php
	
	<?php
	     $buf = "";
	     socket_recv(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0);
	 ?>
	
	* Issue 2 - Integer sign error in PHP socket_recvfrom() function
	
	Requesting the following script will also cause a httpd child to die.
	
	$ cat t2.php
	
	<?php
	     $buf = "";
	     $name = "";
	     socket_recvfrom(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0,
	 $name);
	 ?>
	
	
	 2
	 =
	
	The PHP socket extension implements a low-level interface to the  socket
	communication functions based on the popular BSD sockets, providing  the
	possibility to act as a socket server as well as a client...
	
	To enable this extenstion PHP should be compiled  with  --enable-sockets
	option.
	
	 Details:
	 ========
	
	There exists an integer overflow in socket_iovec_alloc() function.  When
	requestiong the following php script, a httpd child will  die  with  the
	error message: child pid  <pidnum>  exit  signal  Segmentation  fault
	(11)
	
	$ cat t.php
	<?php
	    socket_iovec_alloc(0x20000000);
	?>
	

SOLUTION

	PHP developers notified, 4.3.2 will fix this issues.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH