diff options
| author | Stanislav Malyshev <stas@php.net> | 2018-04-23 13:44:12 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2018-04-23 13:44:12 -0700 |
| commit | a4c55eefd02cc53c5f4bb27732d2ce6cca57b740 (patch) | |
| tree | 53a434b2a5b7fc7ef94dbdaafe1602ccedb3e8e2 | |
| parent | 6e64aba47f4e41d97c4d010024c68320c0855f45 (diff) | |
| parent | 49782c54994ecca2ef2a061063bd5a7079c43527 (diff) | |
| download | php-git-a4c55eefd02cc53c5f4bb27732d2ce6cca57b740.tar.gz | |
Merge remote-tracking branch 'security/bug76248' into PHP-5.6
* security/bug76248:
Fix bug #76248 - Malicious LDAP-Server Response causes Crash
| -rw-r--r-- | ext/ldap/ldap.c | 6 | ||||
| -rw-r--r-- | ext/ldap/tests/bug76248.phpt | 40 |
2 files changed, 45 insertions, 1 deletions
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index 8ab0fe0727..03ca03d3ad 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -1103,7 +1103,11 @@ PHP_FUNCTION(ldap_get_entries) add_assoc_long(tmp1, "count", num_attrib); dn = ldap_get_dn(ldap, ldap_result_entry); - add_assoc_string(tmp1, "dn", dn, 1); + if (dn) { + add_assoc_string(tmp1, "dn", dn, 1); + } else { + add_assoc_null(tmp1, "dn"); + } #if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP || WINDOWS ldap_memfree(dn); #else diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt new file mode 100644 index 0000000000..45a7f83efb --- /dev/null +++ b/ext/ldap/tests/bug76248.phpt @@ -0,0 +1,40 @@ +--TEST-- +Bug #76248 (Malicious LDAP-Server Response causes Crash) +--SKIPIF-- +<?php +require_once('skipif.inc'); +if (!function_exists('pcntl_fork')) die('skip fork not available'); +?> +--FILE-- +<?php +$pid = pcntl_fork(); +const PORT = 12345; +if ($pid == 0) { + // child + $server = stream_socket_server("tcp://127.0.0.1:12345"); + $socket = stream_socket_accept($server, 3); + fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA")); + fflush($socket); +} else { + // parent + $ds = ldap_connect("127.0.0.1", PORT); + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); + $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret"); + + $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)"); + $tt = ldap_get_entries($ds, $s); + var_dump($tt); +} +?> +--EXPECT-- +array(2) { + ["count"]=> + int(1) + [0]=> + array(2) { + ["count"]=> + int(0) + ["dn"]=> + NULL + } +}
\ No newline at end of file |