php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2020-09-01 13:22 UTC
Votes:2
Avg. Score:2.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: tstarling@php.net Assigned: cmb (profile)
Status: Closed Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tstarling@php.net
New email:
PHP Version: OS:

 

 [2014-07-14 22:54 UTC] tstarling@php.net 
Description:
------------
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
---------------
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '127.0.0.1',8888);
socket_write($f, "Hello\n", -1);


Actual result:
--------------
Warning: socket_write(): unable to write to socket [14]: Bad address

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
 [2020-09-01 13:22 UTC] cmb@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-01 13:22 UTC] cmb@php.net 
Fixed as of PHP 7.1.25 and 7.2.13, repectively.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC