iliaa Wed Mar 14 19:37:07 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/session session.c
Log:
Fixed MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability
# Discovered by Stefan Esser
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.31&r2=1.417.2.8.2.32&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.417.2.8.2.31
php-src/ext/session/session.c:1.417.2.8.2.32
--- php-src/ext/session/session.c:1.417.2.8.2.31 Sat Mar 3 15:07:31 2007
+++ php-src/ext/session/session.c Wed Mar 14 19:37:07 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.417.2.8.2.31 2007/03/03 15:07:31 iliaa Exp $ */
+/* $Id: session.c,v 1.417.2.8.2.32 2007/03/14 19:37:07 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -846,6 +846,7 @@
} else if (PS(invalid_session_id)) { /* address instances where the
session read fails due to an invalid id */
PS(invalid_session_id) = 0;
efree(PS(id));
+ PS(id) = NULL;
goto new_session;
}
}
@@ -1575,6 +1576,7 @@
RETURN_FALSE;
}
efree(PS(id));
+ PS(id) = NULL;
}
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
