ext/sockets: bound interface name copy in from_zval_write_ifindex()#22379
ext/sockets: bound interface name copy in from_zval_write_ifindex()#22379iliaal wants to merge 1 commit into
Conversation
not entirely true, The regression commit 3e9b530 is contained in PHP-8.5 (git branch --contains confirms it), and PHP-8.5:ext/sockets/conversions.c carries the same |
The SIOCGIFINDEX fallback checked ZSTR_LEN against sizeof(ifr.ifr_name) but did not return on overflow, then memcpy'd ZSTR_LEN+1 bytes into the fixed ifr_name buffer, so an over-long interface name overran the stack. This regressed in 3e9b530, which replaced the original bounded strlcpy with an unguarded memcpy. Restore the strlcpy plus else-if guard, matching PHP-8.4.
iliaal
force-pushed
the
sockets-ifindex-overflow
branch
from
08c0e82 to
1904658
Compare
|
You're right, 3e9b530 is in 8.5 too and its conversions.c has the same fall-through memcpy. Retargeted to PHP-8.5 as the lowest affected branch; 8.4 still has the strlcpy, so it's unaffected. |
2 participants
3e9b530 replaced the bounded strlcpy in from_zval_write_ifindex() with a memcpy of ZSTR_LEN+1 bytes that runs even when the name overflows ifr_name: the length check sets an error but falls through instead of returning, overrunning the stack. PHP-8.5 and master both carry the regression; 8.4 still has the strlcpy and is unaffected. Restore the strlcpy plus else-if guard.