Skip to content

Instantly share code, notes, and snippets.

/72479.diff Secret

Last active Jun 27, 2016
Embed
What would you like to do?
Patch for 72479
commit cab1c3b3708eead315e033359d07049b23b147a3
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Jun 26 17:52:09 2016 -0700
Fixed bug #72479 - same as #72434
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
index 6c1da4c..e1161c7 100644
--- a/ext/snmp/snmp.c
+++ b/ext/snmp/snmp.c
@@ -2095,6 +2095,14 @@ static int php_snmp_has_property(zval *object, zval *member, int has_set_exists,
}
/* }}} */
+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+ *gc_data = NULL;
+ *gc_data_count = 0;
+ return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
/* {{{ php_snmp_get_properties(zval *object)
Returns all object properties. Injects SNMP properties into object on first call */
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
@@ -2401,6 +2409,7 @@ PHP_MINIT_FUNCTION(snmp)
php_snmp_object_handlers.write_property = php_snmp_write_property;
php_snmp_object_handlers.has_property = php_snmp_has_property;
php_snmp_object_handlers.get_properties = php_snmp_get_properties;
+ php_snmp_object_handlers.get_gc = php_snmp_get_gc;
/* Register SNMP Class */
INIT_CLASS_ENTRY(ce, "SNMP", php_snmp_class_methods);
diff --git a/ext/snmp/tests/bug72479.phpt b/ext/snmp/tests/bug72479.phpt
new file mode 100644
index 0000000..0308754
--- /dev/null
+++ b/ext/snmp/tests/bug72479.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
+--SKIPIF--
+<?php
+require_once(dirname(__FILE__).'/skipif.inc');
+?>
+--FILE--
+<?php
+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
+$out = unserialize($poc);
+gc_collect_cycles();
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+for ($i = 0; $i < 5; $i++) {
+ $v[$i] = $fakezval.$i;
+}
+var_dump($out[1]);
+
+function ptr2str($ptr)
+{
+ $out = '';
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+ return $out;
+}
+?>
+--EXPECT--
+int(1)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment