php/sme8/php-5.3.3-CVE-2011-1938.patch


https://bugzilla.redhat.com/show_bug.cgi?id=709067

http://svn.php.net/viewvc?view=revision&revision=311369
http://svn.php.net/viewvc?view=revision&revision=311370

--- php-5.3.3/ext/sockets/sockets.c.cve1938
+++ php-5.3.3/ext/sockets/sockets.c
@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
                        break;
 
                case AF_UNIX:
+                       if (addr_len >= sizeof(s_un.sun_path)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long");
+                               RETURN_FALSE;
+                       }
+                               
                        memset(&s_un, 0, sizeof(struct sockaddr_un));
 
                        s_un.sun_family = AF_UNIX;
1
2	https://bugzilla.redhat.com/show_bug.cgi?id=709067
3
4	http://svn.php.net/viewvc?view=revision&revision=311369
5	http://svn.php.net/viewvc?view=revision&revision=311370
6
7	--- php-5.3.3/ext/sockets/sockets.c.cve1938
8	+++ php-5.3.3/ext/sockets/sockets.c
9	@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
10	break;
11
12	case AF_UNIX:
13	+ if (addr_len >= sizeof(s_un.sun_path)) {
14	+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long");
15	+ RETURN_FALSE;
16	+ }
17	+
18	memset(&s_un, 0, sizeof(struct sockaddr_un));
19
20	s_un.sun_family = AF_UNIX;