26th Mar 2003 [SBWID-6092]
COMMAND
PHP Integer overflow in socket_iovec_alloc() function and memory
allocator
SYSTEMS AFFECTED
PHP < 4.3.2
Tested on :
Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
PROBLEM
In Sir Mordred [[email protected]] of Mordred Security Labs
[http://mslabs.iwebland.com], advisories :
1
=
In PHP emalloc() function implements the error safe wrapper around
malloc(). Unfortunately this function suffers from an integer overflow
and considering the fact that emalloc() is used in many places around
PHP source code, it may lead to many serious security issues.
Here i will describe only a couple of minor issues in a PHP sockets
extension. This extension is turned off by default and to enable it you
should compile PHP with --enable-sockets option.
* Issue 1 - Integer sign error in PHP socket_recv() function
Requesting the following short script will cause a httpd child to die
with the error message - child pid <pidnum> exit signal Segmentation
fault (11)
$ cat t1.php
<?php
$buf = "";
socket_recv(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0);
?>
* Issue 2 - Integer sign error in PHP socket_recvfrom() function
Requesting the following script will also cause a httpd child to die.
$ cat t2.php
<?php
$buf = "";
$name = "";
socket_recvfrom(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0,
$name);
?>
2
=
The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...
To enable this extenstion PHP should be compiled with --enable-sockets
option.
Details:
========
There exists an integer overflow in socket_iovec_alloc() function. When
requestiong the following php script, a httpd child will die with the
error message: child pid <pidnum> exit signal Segmentation fault
(11)
$ cat t.php
<?php
socket_iovec_alloc(0x20000000);
?>
SOLUTION
PHP developers notified, 4.3.2 will fix this issues.