| commit | 0adaeaee5dff55f4d0214e7eaa014a916cca5918 | |
| author | Paul Tarjan <ptarjan@fb.com> | |
| Tue, 10 Jun 2014 17:15:40 +0000 (10 10:15 -0700) | ||
| committer | facebook-github-bot <githubbot@fb.com> | |
| Tue, 10 Jun 2014 19:17:56 +0000 (10 12:17 -0700) | ||
| tree | 7fd3e950a61b908d5ececfd12804fd9d7728269f | treesnapshot (tar.gz zip) |
| parent | d373bf992381e60a5f1b0b87b6eebd611ec18ee6 | commitdiff |
don't buffer overrun on bad DNS TXT records
Summary: The TXT record is transmitted as
...stuff... [record length] ...stuff... [chunk length] chunk [chunk length] chunk ...
We preallocate a buffer of size `record length` but if any `chunk length` goes longer than that we happily overrun the end of the array. php5 is vulnarable to this as well. I'll send a PR.
Reviewed By: bertrand, joelm
Differential Revision: D1373942
Summary: The TXT record is transmitted as
...stuff... [record length] ...stuff... [chunk length] chunk [chunk length] chunk ...
We preallocate a buffer of size `record length` but if any `chunk length` goes longer than that we happily overrun the end of the array. php5 is vulnarable to this as well. I'll send a PR.
Reviewed By: bertrand, joelm
Differential Revision: D1373942
| hphp/runtime/ext/std/ext_std_network.cpp | diffblobblamehistory |