--- a/ext/standard/dns.c 2014-08-14 14:43:45.880377423 +0200
+++ b/ext/standard/dns.c 2014-08-14 14:51:15.602779946 +0200
@@ -402,8 +402,14 @@
#if HAVE_FULL_DNS_FUNCS
+#define CHECKCP(n) do { \
+ if (cp + n > end) { \
+ return NULL; \
+ } \
+} while (0)
+
/* {{{ php_parserr */
-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
{
u_short type, class, dlen;
u_long ttl;
@@ -415,16 +421,18 @@
*subarray = NULL;
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
if (n < 0) {
return NULL;
}
cp += n;
+ CHECKCP(10);
GETSHORT(type, cp);
GETSHORT(class, cp);
GETLONG(ttl, cp);
GETSHORT(dlen, cp);
+ CHECKCP(dlen);
if (type_to_fetch != T_ANY && type != type_to_fetch) {
cp += dlen;
return cp;
@@ -441,12 +449,14 @@
add_assoc_string(*subarray, "host", name, 1);
switch (type) {
case DNS_T_A:
+ CHECKCP(4);
add_assoc_string(*subarray, "type", "A", 1);
snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
add_assoc_string(*subarray, "ip", name, 1);
cp += dlen;
break;
case DNS_T_MX:
+ CHECKCP(2);
add_assoc_string(*subarray, "type", "MX", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pri", n);
@@ -465,7 +475,7 @@
if (type == DNS_T_PTR) {
add_assoc_string(*subarray, "type", "PTR", 1);
}
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -475,18 +485,22 @@
case DNS_T_HINFO:
/* See RFC 1010 for values */
add_assoc_string(*subarray, "type", "HINFO", 1);
+ CHECKCP(1);
n = *cp & 0xFF;
cp++;
+ CHECKCP(n);
add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
cp += n;
+ CHECKCP(1);
n = *cp & 0xFF;
cp++;
+ CHECKCP(n);
add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
cp += n;
break;
case DNS_T_TXT:
{
- int ll = 0;
+ int l1 = 0, l2 = 0;
zval *entries = NULL;
add_assoc_string(*subarray, "type", "TXT", 1);
@@ -495,37 +509,42 @@
MAKE_STD_ZVAL(entries);
array_init(entries);
- while (ll < dlen) {
- n = cp[ll];
- if ((ll + n) >= dlen) {
+ while (l1 < dlen) {
+ n = cp[l1];
+ if ((l1 + n) >= dlen) {
// Invalid chunk length, truncate
- n = dlen - (ll + 1);
+ n = dlen - (l1 + 1);
+ }
+ if (n) {
+ memcpy(tp + l2 , cp + l1 + 1, n);
+ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
}
- memcpy(tp + ll , cp + ll + 1, n);
- add_next_index_stringl(entries, cp + ll + 1, n, 1);
- ll = ll + n + 1;
+ l1 = l1 + n + 1;
+ l2 = l2 + n;
}
tp[dlen] = '\0';
+ tp[l2] = '\0';
cp += dlen;
- add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
+ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
add_assoc_zval(*subarray, "entries", entries);
}
break;
case DNS_T_SOA:
add_assoc_string(*subarray, "type", "SOA", 1);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
if (n < 0) {
return NULL;
}
cp += n;
add_assoc_string(*subarray, "mname", name, 1);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
if (n < 0) {
return NULL;
}
cp += n;
add_assoc_string(*subarray, "rname", name, 1);
+ CHECKCP(5*4);
GETLONG(n, cp);
add_assoc_long(*subarray, "serial", n);
GETLONG(n, cp);
@@ -539,6 +558,7 @@
break;
case DNS_T_AAAA:
tp = (u_char*)name;
+ CHECKCP(8*2);
for(i=0; i < 8; i++) {
GETSHORT(s, cp);
if (s != 0) {
@@ -573,6 +593,7 @@
case DNS_T_A6:
p = cp;
add_assoc_string(*subarray, "type", "A6", 1);
+ CHECKCP(1);
n = ((int)cp[0]) & 0xFF;
cp++;
add_assoc_long(*subarray, "masklen", n);
@@ -608,6 +629,7 @@
cp++;
}
for (i = (n + 8) / 16; i < 8; i++) {
+ CHECKCP(2);
GETSHORT(s, cp);
if (s != 0) {
if (tp > (u_char *)name) {
@@ -637,7 +659,7 @@
tp[0] = '\0';
add_assoc_string(*subarray, "ipv6", name, 1);
if (cp < p + dlen) {
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -646,6 +668,7 @@
}
break;
case DNS_T_SRV:
+ CHECKCP(3*2);
add_assoc_string(*subarray, "type", "SRV", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pri", n);
@@ -653,7 +676,7 @@
add_assoc_long(*subarray, "weight", n);
GETSHORT(n, cp);
add_assoc_long(*subarray, "port", n);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -661,21 +684,35 @@
add_assoc_string(*subarray, "target", name, 1);
break;
case DNS_T_NAPTR:
+ CHECKCP(2*2);
add_assoc_string(*subarray, "type", "NAPTR", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "order", n);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pref", n);
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
cp += n;
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
cp += n;
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
cp += n;
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -842,7 +879,7 @@
while (an-- && cp && cp < end) {
zval *retval;
- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
+ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
if (retval != NULL && store_results) {
add_next_index_zval(return_value, retval);
}
@@ -855,7 +892,7 @@
while (ns-- > 0 && cp && cp < end) {
zval *retval = NULL;
- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
if (retval != NULL) {
add_next_index_zval(authns, retval);
}
@@ -867,7 +904,7 @@
while (ar-- > 0 && cp && cp < end) {
zval *retval = NULL;
- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
if (retval != NULL) {
add_next_index_zval(addtl, retval);
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
56662f8135650f8f8f84b2c96c004eb0
>
files
>
57
