Home page logo

bugtraq logo Bugtraq mailing list archives

@(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function
From: Sir Mordred <mordred () s-mail com>
Date: Tue, 25 Mar 2003 14:31:59 +0000

//@(#) Mordred Security Labs advisory

Release date: March 25, 2003
Name: Integer overflow in PHP socket_iovec_alloc() function
Versions affected: < 4.3.2
Conditions: PHP must be compiled with --enable-sockets option, which is
turned off by default
Risk: average
Author: Sir Mordred (mordred () s-mail com)

I. Description:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.

The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...

To enable this extenstion PHP should be compiled with --enable-sockets

II. Details:

There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die with
the error message: child pid <pidnum> exit signal Segmentation fault (11)

$ cat t.php

III. Platforms tested

Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

III. Workaround

Don't use the sockets extension.

IV. Vendor response

Vendor notified, issue will be fixed in PHP 4.3.2.

This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com

  By Date           By Thread  

Current thread:
  • @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function Sir Mordred (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]