php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38251 socket_select() and invalid arguments
Submitted: 2006-07-29 16:03 UTC Modified: 2006-07-31 20:27 UTC
From: axelluttgens at swing dot be Assigned:
Status: Closed Package: Sockets related
PHP Version: 4.4.2 OS: Mac OS X 10.4.7
Private report: No CVE-ID:
 [2006-07-29 16:03 UTC] axelluttgens at swing dot be
Description:
------------
socket_select(), when executed without timeout, is liable to block indefinitely in case of obviously incorrect arguments.

I may be wrong, but this doesn't seem to exactly reflect the behavior of select(2).
In which case the PHP layer might be too permissive while building the descriptors from the arguments passed to socket_select(); perhaps by building valid descriptors when it shouldn't be the case.




Reproduce code:
---------------
Create an executable file (say, test.php) with following contents:

#!/usr/local/bin/php
<?php

while (!$cnt = socket_select($r = array('xyzt'), $w = NULL, $e = NULL, 1))
{
	echo "Count: $cnt\n";
	echo "Err#: ", socket_last_error(), "\n";
}

?>




Expected result:
----------------
socket_select() should exit immediately with an error code reported through socket_last_error() (for example SOCKET_EBADF).




Actual result:
--------------
[1] When running above executable, a warning gets emitted on stdout:

    Warning: socket_select(): supplied argument is not a
    valid Socket resource in /path/to/test.php on line 4

    ^C

but execution indefinitely continues in socket_select(): the loop's body is never executed, and one has to interrupt the program (hence the ^C).

[2] Note that the behavior differs with
    $r = 'xyzt';
instead of:
    $r = array('xyzt');
socket_select() then exits, allowing to enter the loop's body; the output is:

    Warning: socket_select() expects parameter 1 to be
    array, string given in /path/to/test.php on line 4
    Count: 
    Err#: 0

    Warning: socket_select() expects parameter 1 to be
    array, string given in /path/to/test.php on line 4
    Count: 
    Err#: 0

    ^C

Here, PHP quits socket_select() and reports an error (at least through the value FALSE asigned to $cnt).

[3] Now, with
    $r = array('xyzt')
again, but changing the timeout value from NULL to 1, the output is:

    Warning: socket_select(): supplied argument is not a
    valid Socket resource in /path/to/test.php on line 5

    Warning: socket_select(): supplied argument is not a
    valid Socket resource in /path/to/test.php on line 5
    Count: 0
    Err#: 0

    Warning: socket_select(): supplied argument is not a
    valid Socket resource in /path/to/test.php on line 5
    Count: 0
    Err#: 0
    ^C

Strange... why does the warning get emitted twice at the beginning of the execution?

======
Additional info:

Configure Command =>  './configure' '--prefix=/usr/local' '--with-apxs' '--disable-dependency-tracking' '--with-ldap=/usr' '--with-kerberos=/usr' '--enable-cli' '--with-zlib-dir=/usr' '--enable-trans-sid' '--with-xml' '--enable-exif' '--enable-ftp' '--enable-mbstring' '--enable-mbregex' '--enable-dbx' '--enable-sockets' '--with-iodbc=/usr' '--with-curl=/usr' '--with-mysql' '--enable-dba' '--with-db4=/usr/local/BerkeleyDB' '--enable-pcntl'




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-29 16:07 UTC] axelluttgens at swing dot be
Sorry,the reproduce code should have a NULL timeout instead of 1 in socket_select().

Otherwise, my comments are a bit confusing...
 [2006-07-30 11:54 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2006-07-31 20:27 UTC] axelluttgens at swing dot be
Thanks for your quick reply!

I didn't have yet the opportunity to build/test the CVS version, but I had a quick look a the changes in the code: it seems that they indeed should do the trick.

Thanks again,
Axel
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC