Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-1775

php_phongo_dbpointer_init uses incorrect size for strncpy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.9.1
    • Component/s: None
    • Labels:
      None

      Description

      When initializing a DBPointer, the size of the struct's id buffer (25) is provided to strncpy. We should actually specify 24, since that is the typical length provided to the function for valid input.

      php_phongo_dbpointer_init is called from two context:

      • php_phongo_dbpointer_init_from_hash, which passes results from Z_STRVAL_P and Z_STRLEN_P. The length will be 24 in most cases.
      • php_phongo_dbpointer_clone_object, which passes another original struct's id buffer and a fixed size of 24

      Note that bson_oid_is_valid accepts a length of 25, provided that byte is a null terminator. Otherwise, 24 is required.

      Secondly, although we can assume that internal struct was zero-allocated, it may be safer to explicitly set the null byte after copying:

      strncpy(intern->id, id, sizeof(intern->id) - 1);
      intern->id[24] = '\0';
      

      Alternatively, memset the entire structure first:

      memset(intern->id, 0, sizeof(intern->id);
      strncpy(intern->id, id, sizeof(intern->id) - 1);
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andreas.braun Andreas Braun
              Reporter:
              jmikola Jeremy Mikola
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: