[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GSA2001-01] PHP IMAP overflow fix problems
- Subject: Re: [GSA2001-01] PHP IMAP overflow fix problems
- From: Anil Madhavapeddy <anil@RECOIL.ORG>
- Date: Tue, 6 Mar 2001 09:56:35 +0000
- Approved-By: aleph1@SECURITYFOCUS.COM
- Delivered-To: bugtraq@lists.securityfocus.com
- Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
- Reply-To: Anil Madhavapeddy <anil@RECOIL.ORG>
- Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
- User-Agent: Internet Messaging Program (IMP) 2.3.6-cvs
Quoting pre <pre@GEEKGANG.CO.UK>:
>
> This issue appears to be fixed in the current CVS version of PHP (I
> haven't tested it, just looked at the code).
>
> The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module
> to 4.0.3 behavior, without reintroducing the buffer overflow.
>
Attached is a patch against php-4.0.4pl1 (backported from php-cvs), which
cures
the problem without imposing 80-character limits or using static buffers.
Just committed it to the OpenBSD-current port of PHP4. Thanks max@horde.org
for testing under Linux.
--
Anil Madhavapeddy, <anil@recoil.org>
--- ext/imap/php_imap.c.orig Tue Mar 6 09:22:17 2001
+++ ext/imap/php_imap.c Tue Mar 6 09:24:10 2001
@@ -25,7 +25,7 @@
| PHP 4.0 updates: Zeev Suraski <zeev@zend.com> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_imap.c,v 1.50 2000/10/25 17:43:52 andrei Exp $ */
+/* $Id: php_imap.c,v 1.57 2001/02/21 20:33:46 thies Exp $ */
#define IMAP41
@@ -183,7 +183,19 @@
void mail_close_it(zend_rsrc_list_entry *rsrc)
{
pils *imap_le_struct = (pils *)rsrc->ptr;
+ IMAPLS_FETCH();
+
mail_close_full(imap_le_struct->imap_stream, imap_le_struct->flags);
+
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
+ IMAPG(imap_user) = 0;
+ }
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
+ IMAPG(imap_password) = 0;
+ }
+
efree(imap_le_struct);
}
@@ -633,6 +645,14 @@
}
}
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
+ }
+
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
+ }
+
IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd),
Z_STRLEN_PP(passwd));
@@ -712,6 +732,8 @@
}
}
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -721,6 +743,8 @@
node = malloc(sizeof(pils));
if (node == NULL) {
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password));
+IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -757,6 +781,8 @@
free(headp);
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -766,11 +792,11 @@
} else {
#endif
imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags);
- efree(IMAPG(imap_user));
- efree(IMAPG(imap_password));
if (imap_stream == NIL) {
php_error(E_WARNING, "Couldn't open stream %s\n",
(*mailbox)->value.str.val);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
|
