From 882a375dbad4ecb1fddd9dd80f1a1350299629c1 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 31 Jan 2015 18:59:18 -0800 Subject: [PATCH] Add mitigation for CVE-2015-0235 (bug #68925) --- NEWS | 3 +++ ext/sockets/sockaddr_conv.c | 6 +++++- ext/standard/string.c | 2 +- main/network.c | 1 - 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 09eeb31281c..88ca5ee6182 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015, PHP 5.5.22 +- Core: + . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname + buffer overflow). (Stas) - Date: . Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick) diff --git a/ext/sockets/sockaddr_conv.c b/ext/sockets/sockaddr_conv.c index 1c1a90d58f0..80807dd243d 100644 --- a/ext/sockets/sockaddr_conv.c +++ b/ext/sockets/sockaddr_conv.c @@ -9,6 +9,10 @@ #include #endif +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 255 +#endif + extern int php_string_to_if_index(const char *val, unsigned *out TSRMLS_DC); #if HAVE_IPV6 @@ -90,7 +94,7 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc if (inet_aton(string, &tmp)) { sin->sin_addr.s_addr = tmp.s_addr; } else { - if (! (host_entry = gethostbyname(string))) { + if (strlen(string) > MAXHOSTNAMELEN || ! (host_entry = gethostbyname(string))) { /* Note: < -10000 indicates a host lookup error */ #ifdef PHP_WIN32 PHP_SOCKET_ERROR(php_sock, "Host lookup failed", WSAGetLastError()); diff --git a/ext/standard/string.c b/ext/standard/string.c index cb212b49c27..410535b41c0 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -3940,7 +3940,7 @@ static void php_str_replace_in_subject(zval *search, zval *replace, zval **subje replace_value, replace_len, &Z_STRLEN(temp_result), case_sensitivity, replace_count); } - str_efree(Z_STRVAL_P(result)); + str_efree(Z_STRVAL_P(result)); Z_STRVAL_P(result) = Z_STRVAL(temp_result); Z_STRLEN_P(result) = Z_STRLEN(temp_result); diff --git a/main/network.c b/main/network.c index 702509a9d90..c93e366cc6d 100644 --- a/main/network.c +++ b/main/network.c @@ -27,7 +27,6 @@ #include - #ifdef PHP_WIN32 # include # include "win32/inet.h"