diff options
| author | Sara Golemon <pollita@php.net> | 2014-06-10 11:18:02 -0700 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2014-06-25 11:45:15 +0200 |
| commit | 038baca3a1f0676a8062b04a2923ef6630c3e41c (patch) | |
| tree | c21bc1cc651c6ff9e6e7588623c88aa2869ba84a | |
| parent | 33f5d7853145fff91cbfbab38588293d8765cecd (diff) | |
| download | php-git-038baca3a1f0676a8062b04a2923ef6630c3e41c.tar.gz | |
Fix potential segfault in dns_get_record()
If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.
| -rw-r--r-- | ext/standard/dns.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 6a894467ff..214a7dc7e9 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int while (ll < dlen) { n = cp[ll]; + if ((ll + n) >= dlen) { + // Invalid chunk length, truncate + n = dlen - (ll + 1); + } memcpy(tp + ll , cp + ll + 1, n); add_next_index_stringl(entries, cp + ll + 1, n, 1); ll = ll + n + 1; |