PHP :: Bug #67619 :: Length parameters in socket

Bug #67619

Length parameters in socket_write() etc. may be negative

Submitted:

2014-07-14 22:54 UTC

Modified:

2020-09-01 13:22 UTC

Votes:	2
Avg. Score:	2.5 ± 0.5
Reproduced:	0 of 0 (0.0%)

From:

tstarling@php.net

Assigned:

cmb (profile)

Status:

Closed

Package:

Sockets related

PHP Version:

7.2.4

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2014-07-14 22:54 UTC] tstarling@php.net

Description:
------------
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
---------------
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '127.0.0.1',8888);
socket_write($f, "Hello\n", -1);


Actual result:
--------------
Warning: socket_write(): unable to write to socket [14]: Bad address

Patches

Pull Requests

Pull requests:

Validate length on socket_write (php-src/3629)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-03-26 13:25 UTC] cmb@php.net

-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4

[2020-09-01 13:22 UTC] cmb@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb

[2020-09-01 13:22 UTC] cmb@php.net

Fixed as of PHP 7.1.25 and 7.2.13, repectively.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 16:01:29 2025 UTC