You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

75 lines
2.3 KiB

From: Markus Koschany <apo@debian.org>
Date: Wed, 9 May 2018 15:20:34 +0200
Subject: CVE-2018-10548
Bug-Upstream: https://bugs.php.net/bug.php?id=76248
---
ext/ldap/ldap.c | 6 +++++-
ext/ldap/tests/bug76248.phpt | 40 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 ext/ldap/tests/bug76248.phpt
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 2092b5e..a3c604b 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -1026,7 +1026,11 @@ PHP_FUNCTION(ldap_get_entries)
add_assoc_long(tmp1, "count", num_attrib);
dn = ldap_get_dn(ldap, ldap_result_entry);
- add_assoc_string(tmp1, "dn", dn, 1);
+ if (dn) {
+ add_assoc_string(tmp1, "dn", dn, 1);
+ } else {
+ add_assoc_null(tmp1, "dn");
+ }
#if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP_10 || WINDOWS
ldap_memfree(dn);
#else
diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt
new file mode 100644
index 0000000..45a7f83
--- /dev/null
+++ b/ext/ldap/tests/bug76248.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #76248 (Malicious LDAP-Server Response causes Crash)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+if (!function_exists('pcntl_fork')) die('skip fork not available');
+?>
+--FILE--
+<?php
+$pid = pcntl_fork();
+const PORT = 12345;
+if ($pid == 0) {
+ // child
+ $server = stream_socket_server("tcp://127.0.0.1:12345");
+ $socket = stream_socket_accept($server, 3);
+ fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA"));
+ fflush($socket);
+} else {
+ // parent
+ $ds = ldap_connect("127.0.0.1", PORT);
+ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+ $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret");
+
+ $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)");
+ $tt = ldap_get_entries($ds, $s);
+ var_dump($tt);
+}
+?>
+--EXPECT--
+array(2) {
+ ["count"]=>
+ int(1)
+ [0]=>
+ array(2) {
+ ["count"]=>
+ int(0)
+ ["dn"]=>
+ NULL
+ }
+}
\ No newline at end of file