Home Original page

[PATCH] dns_get_record() doesn't return all text from TXT record

Bug #42855 [PATCH] dns_get_record() doesn't return all text from TXT record
Submitted: 2007-10-04 13:12 UTC Modified: 2008-11-03 11:35 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: misc at e2007 dot cynergi dot com Assigned:
Status: Closed Package: Network related
PHP Version: 5.2.6 OS: *
Private report: No CVE-ID: None

 [2007-10-04 13:12 UTC] misc at e2007 dot cynergi dot com

Description:
------------
dns_get_record() doesn't return all text from TXT record.

RFC 1035 states that TXT record values can't have "compression", but can have multiple strings for the same DNS record. Although uncommon, such long TXT strings actualy exist to make publicly available public key data for DomainKeys e-mail protocols (used by Yahoo! and Gmail).

The following code examples where compiled when under Windows, the command "nslookup -type=TXT bravo._domainkey.yahoogroups.co.uk" returned:

(...)
Non-authoritative answer:
bravo._domainkey.yahoogroups.co.uk      text =

        "k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKt1OprXeH+okFnh8XxMeVV9iYAbhIOMq3ODHpcBm7JSl3Orusqv53BIn55a0JaP1iqbIWu5j3TVIpqbG7MHZU"
        "KJQrqcmVSvG7oT3r7Fwo6aCHMMuL+IZdEpbb9ZU8xomQIDAP//"


Reproduce code:
---------------
$x = dns_get_record("bravo._domainkey.yahoogroups.co.uk", DNS_TXT);
var_dump($x);


Expected result:
----------------
array(1) {
  [0]=>
  array(5) {
    ["host"]=>
    string(34) "bravo._domainkey.yahoogroups.co.uk"
    ["type"]=>
    string(3) "TXT"
    ["txt"]=>
    string(127) "k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKt1OprXeH+okFnh8XxMeVV9iYAbhIOMq3ODHpcBm7JSl3Orusqv53BIn55a0JaP1iqbIWu5j3TVIpqbG7MHZUKJQrqcmVSvG7oT3r7Fwo6aCHMMuL+IZdEpbb9ZU8xomQIDAP//"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(17428)
  }
}


Actual result:
--------------
array(1) {
  [0]=>
  array(5) {
    ["host"]=>
    string(34) "bravo._domainkey.yahoogroups.co.uk"
    ["type"]=>
    string(3) "TXT"
    ["txt"]=>
    string(127) "k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKt1OprXeH+okFnh8XxMeVV9iYAbhIOMq3ODHpcBm7JSl3Orusqv53BIn55a0JaP1iqbIWu5j3TVIpqbG7MHZU"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(17428)
  }
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2007-10-04 13:24 UTC] misc at e2007 dot cynergi dot com

I'm tired... 3rd paragraph in the "description" should have read: "The following code examples where compiled when under Windows the command ... returned:", and the "expected result" string length should be greater than 127, of course.

 [2008-03-02 12:08 UTC] a dot u dot savchuk at gmail dot com

i reproduce this and create a patch for problem solving.

it works for me:

$ ./sapi/cli/php -r '$x = dns_get_record("bravo._domainkey.yahoogroups.co.uk", DNS_TXT); var_dump($x);'
array(1) {
  [0]=>
  array(5) {
    ["host"]=>
    string(34) "bravo._domainkey.yahoogroups.co.uk"
    ["type"]=>
    string(3) "TXT"
    ["txt"]=>
    string(179) "k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKt1OprXeH+okFnh8XxMeVV9iYAbhIOMq3ODHpcBm7JSl3Orusqv53BIn55a0JaP1iqbIWu5j3TVIpqbG7MHZUKJQrqcmVSvG7oT3r7Fwo6aCHMMuL+IZdEpbb9ZU8xomQIDAP//"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(21130)
  }
}

Here is code:

$ cat /home/sawoy/dns.c.patch
--- ../source/php-5.2.5/ext/standard/dns.c      2007-06-26 04:04:55.000000000 -0700
+++ ./ext/standard/dns.c        2008-03-02 03:56:21.000000000 -0800
@@ -474,12 +474,17 @@ static u_char *php_parserr(u_char *cp, q
                        break;
                case DNS_T_TXT:
                        add_assoc_string(*subarray, "type", "TXT", 1);
-                       n = cp[0];
-                       tp = emalloc(n + 1);
-                       memcpy(tp, cp + 1, n);
-                       tp[n] = '\0';
+                       tp = emalloc(dlen + 1);
+                       int ll = 0;
+                       while ( ll < dlen)
+                       {
+                               n = cp[ll];
+                               memcpy(tp + ll , cp + ll + 1, n);
+                               ll = ll + n + 1;
+                       }
+                       tp[dlen] = '\0';
                        cp += dlen;
-                       add_assoc_stringl(*subarray, "txt", tp, n, 0);
+                       add_assoc_stringl(*subarray, "txt", tp, dlen, 0);
                        break;
                case DNS_T_SOA:
                        add_assoc_string(*subarray, "type", "SOA", 1);

 [2008-11-03 11:35 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.