php/sme8/php-5.3.3-CVE-2011-1938.patch


https://bugzilla.redhat.com/show_bug.cgi?id=709067

http://svn.php.net/viewvc?view=revision&revision=311369
http://svn.php.net/viewvc?view=revision&revision=311370

--- php-5.3.3/ext/sockets/sockets.c.cve1938
+++ php-5.3.3/ext/sockets/sockets.c
@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
                        break;
 
                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long");
+                               RETURN_FALSE;
+                       }
+                               
                        memset(&s_un, 0, sizeof(struct sockaddr_un));
 
                        s_un.sun_family = AF_UNIX;
1	slords	1.1.2.1
2			https://bugzilla.redhat.com/show_bug.cgi?id=709067
3
4			http://svn.php.net/viewvc?view=revision&revision=311369
5			http://svn.php.net/viewvc?view=revision&revision=311370
6
7			--- php-5.3.3/ext/sockets/sockets.c.cve1938
8			+++ php-5.3.3/ext/sockets/sockets.c
9			@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
10			break;
11
12			case AF_UNIX:
13			+ if (addr_len >= sizeof(s_un.sun_path)) {
14			+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long");
15			+ RETURN_FALSE;
16			+ }
17			+
18			memset(&s_un, 0, sizeof(struct sockaddr_un));
19
20			s_un.sun_family = AF_UNIX;