Home page logo
/

bugtraq logo Bugtraq mailing list archives

@(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function
From: Sir Mordred <mordred () s-mail com>
Date: Tue, 25 Mar 2003 14:31:59 +0000


//@(#) Mordred Security Labs advisory

Release date: March 25, 2003
Name: Integer overflow in PHP socket_iovec_alloc() function
Versions affected: < 4.3.2
Conditions: PHP must be compiled with --enable-sockets option, which is
turned off by default
Risk: average
Author: Sir Mordred (mordred () s-mail com)

I. Description:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.

The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...

To enable this extenstion PHP should be compiled with --enable-sockets
option.

II. Details:

There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die with
the error message: child pid <pidnum> exit signal Segmentation fault (11)

$ cat t.php
<?php
    socket_iovec_alloc(0x20000000);
?>

III. Platforms tested

Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

III. Workaround

Don't use the sockets extension.

IV. Vendor response

Vendor notified, issue will be fixed in PHP 4.3.2.



________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com


  By Date           By Thread  

Current thread:
  • @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function Sir Mordred (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault