@(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function

[Sir Mordred <mordred () s-mail com>]

//@(#) Mordred Security Labs advisory

Release date: March 25, 2003
Name: Integer overflow in PHP socket_iovec_alloc() function
Versions affected: < 4.3.2
Conditions: PHP must be compiled with --enable-sockets option, which is
turned off by default
Risk: average
Author: Sir Mordred (mordred () s-mail com)

I. Description:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.

The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...

To enable this extenstion PHP should be compiled with --enable-sockets
option.

II. Details:

There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die with
the error message: child pid <pidnum> exit signal Segmentation fault (11)

$ cat t.php
<?php
    socket_iovec_alloc(0x20000000);
?>

III. Platforms tested

Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

III. Workaround

Don't use the sockets extension.

IV. Vendor response

Vendor notified, issue will be fixed in PHP 4.3.2.



________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com