[19506] in bugtraq
Re: [GSA2001-01] PHP IMAP overflow fix problems
daemon@ATHENA.MIT.EDU (Anil Madhavapeddy)
Tue Mar 6 13:54:42 2001
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="-MOQ983872595997af4bee24449e74648abe19a1041e7"
Message-ID: <983872595.3aa4b45343a3c@horde.recoil.org>
Date: Tue, 6 Mar 2001 09:56:35 +0000
Reply-To: Anil Madhavapeddy <anil@RECOIL.ORG>
From: Anil Madhavapeddy <anil@RECOIL.ORG>
X-To: pre <pre@GEEKGANG.CO.UK>, security@horde.org, group@php.net
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format.
---MOQ983872595997af4bee24449e74648abe19a1041e7
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Quoting pre <pre@GEEKGANG.CO.UK>:
>
> This issue appears to be fixed in the current CVS version of PHP (I
> haven't tested it, just looked at the code).
>
> The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module
> to 4.0.3 behavior, without reintroducing the buffer overflow.
>
Attached is a patch against php-4.0.4pl1 (backported from php-cvs), which cures
the problem without imposing 80-character limits or using static buffers.
Just committed it to the OpenBSD-current port of PHP4. Thanks max@horde.org
for testing under Linux.
--
Anil Madhavapeddy, <anil@recoil.org>
---MOQ983872595997af4bee24449e74648abe19a1041e7
Content-Type: text/plain; name="patch-ext_imap_php_imap_c"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline; filename="patch-ext_imap_php_imap_c"
--- ext/imap/php_imap.c.orig Tue Mar 6 09:22:17 2001
+++ ext/imap/php_imap.c Tue Mar 6 09:24:10 2001
@@ -25,7 +25,7 @@
| PHP 4.0 updates: Zeev Suraski <zeev@zend.com> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_imap.c,v 1.50 2000/10/25 17:43:52 andrei Exp $ */
+/* $Id: php_imap.c,v 1.57 2001/02/21 20:33:46 thies Exp $ */
#define IMAP41
@@ -183,7 +183,19 @@
void mail_close_it(zend_rsrc_list_entry *rsrc)
{
pils *imap_le_struct = (pils *)rsrc->ptr;
+ IMAPLS_FETCH();
+
mail_close_full(imap_le_struct->imap_stream, imap_le_struct->flags);
+
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
+ IMAPG(imap_user) = 0;
+ }
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
+ IMAPG(imap_password) = 0;
+ }
+
efree(imap_le_struct);
}
@@ -633,6 +645,14 @@
}
}
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
+ }
+
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
+ }
+
IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd));
@@ -712,6 +732,8 @@
}
}
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -721,6 +743,8 @@
node = malloc(sizeof(pils));
if (node == NULL) {
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -757,6 +781,8 @@
free(headp);
efree(hashed_details);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
@@ -766,11 +792,11 @@
} else {
#endif
imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags);
- efree(IMAPG(imap_user));
- efree(IMAPG(imap_password));
if (imap_stream == NIL) {
php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val);
+ efree(IMAPG(imap_user)); IMAPG(imap_user) = 0;
+ efree(IMAPG(imap_password)); IMAPG(imap_password) = 0;
RETURN_FALSE;
}
---MOQ983872595997af4bee24449e74648abe19a1041e7--
