|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38687 Possible buffer overflow in stream_socket_client() when using "bindto" + IPv6
Submitted: 2006-09-02 00:01 UTC Modified: 2006-09-11 19:20 UTC
From: christian dot schuster at s2000 dot tu-chemnitz dot de Assigned: pollita (profile)
Status: Closed Package: Streams related
PHP Version: 5CVS-2006-09-01 (CVS) OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
37 - 1 = ?
Subscribe to this entry?

 [2006-09-02 00:01 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de
Using stream_socket_client() with a context containing a valid local IPv6 binding address does not actually bind the socket to that address, but fails silently. This is a "side effect" of a possible buffer overflow:

In main/network.c, php_network_connect_socket_to_host() uses a "struct sockaddr", and references it via a pointer to "struct sockaddr_in" or "struct sockaddr_in6". For IPv4, this is usually sufficient - for IPv6 it is not. Upon the subsequent call to inet_pton(), some memory beyond the "struct sockaddr" is accessed.

A "struct sockaddr_in" or "struct sockaddr_in6" should be used instead, depending on the protocol.

PHP6 is affected by this bug, too.

Proposed patch:

Reproduce code:
/* sample code for illegal use of struct sockaddr */

#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int, char**) {
	struct sockaddr local_address;
	struct sockaddr_in6 *in6 = (struct sockaddr_in6*)&local_address;
	inet_pton(AF_INET6, "::1", &in6->sin6_addr);

Expected result:
Normal program termination.

Actual result:
"Segmentation fault" on inet_pton().


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-04 08:38 UTC]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

 [2006-09-04 21:55 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de

# create context containing binding address
$context = stream_context_create();
stream_context_set_option($context, "socket", "bindto",

# connect to some server
$handle = stream_socket_client("tcp://",
	$errno, $errstr, 5, STREAM_CLIENT_CONNECT,

# print local name
echo stream_socket_get_name($handle, false);

# close connection

 [2006-09-04 22:11 UTC] christian dot schuster at s2000 dot tu-chemnitz dot de
The output of the above script does not depend on whatever "your:local:ipv6:address::here" is replaced with. It should be something like "your:local:ipv6:address::here:port" - though I'd prefer "[your:local:ipv6:address::here]:port", but that's another point.

Another thing I noticed: Appending a port number to the binding address ("[your:local:ipv6:address::here]:port") triggers a warning:

Warning: stream_socket_client(): failed to bind to 'your:local:ipv6:address::here:port', system said: Invalid argument in test.php on line 11
 [2006-09-05 15:37 UTC]
Looks like you've got it pegged, though the patch needs a little work (some systems will blow out your stack'd in4/in6 structs before they reach the bind() call).  I'll apply a patch very similar to this later today when I'm somewhere that I can reasonably test that everything behaves.
 [2006-09-11 19:20 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 02:01:30 2024 UTC