NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2001-03

From: Anil Madhavapeddy (anilRECOIL.ORG)
Date: Tue Mar 06 2001 - 03:56:35 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting pre <preGEEKGANG.CO.UK>:

>
> This issue appears to be fixed in the current CVS version of PHP (I
> haven't tested it, just looked at the code).
>
> The gsa2001-01.diff patch against php-4.0.4pl1 reverts the imap module
> to 4.0.3 behavior, without reintroducing the buffer overflow.
>

Attached is a patch against php-4.0.4pl1 (backported from php-cvs), which cures
the problem without imposing 80-character limits or using static buffers.

Just committed it to the OpenBSD-current port of PHP4. Thanks maxhorde.org
for testing under Linux.

--
Anil Madhavapeddy, <anilrecoil.org>

--- ext/imap/php_imap.c.orig Tue Mar 6 09:22:17 2001 +++ ext/imap/php_imap.c Tue Mar 6 09:24:10 2001 -25,7 +25,7 | PHP 4.0 updates: Zeev Suraski <zeevzend.com> | +----------------------------------------------------------------------+ */ -/* $Id: php_imap.c,v 1.50 2000/10/25 17:43:52 andrei Exp $ */ +/* $Id: php_imap.c,v 1.57 2001/02/21 20:33:46 thies Exp $ */

#define IMAP41

-183,7 +183,19 void mail_close_it(zend_rsrc_list_entry *rsrc) { pils *imap_le_struct = (pils *)rsrc->ptr; + IMAPLS_FETCH(); + mail_close_full(imap_le_struct->imap_stream, imap_le_struct->flags); + + if (IMAPG(imap_user)) { + efree(IMAPG(imap_user)); + IMAPG(imap_user) = 0; + } + if (IMAPG(imap_password)) { + efree(IMAPG(imap_password)); + IMAPG(imap_password) = 0; + } + efree(imap_le_struct); }

-633,6 +645,14 } }

+ if (IMAPG(imap_user)) { + efree(IMAPG(imap_user)); + } + + if (IMAPG(imap_password)) { + efree(IMAPG(imap_password)); + } + IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user)); IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd)); -712,6 +732,8 } } efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; }

-721,6 +743,8 node = malloc(sizeof(pils)); if (node == NULL) { efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; }

-757,6 +781,8

free(headp); efree(hashed_details); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; }

-766,11 +792,11 } else { #endif imap_stream = mail_open(NIL, Z_STRVAL_PP(mailbox), flags); - efree(IMAPG(imap_user)); - efree(IMAPG(imap_password));

if (imap_stream == NIL) { php_error(E_WARNING, "Couldn't open stream %s\n", (*mailbox)->value.str.val); + efree(IMAPG(imap_user)); IMAPG(imap_user) = 0; + efree(IMAPG(imap_password)); IMAPG(imap_password) = 0; RETURN_FALSE; }

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]