|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2020-09-01 13:22 UTC
Avg. Score:2.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: Assigned: cmb (profile)
Status: Closed Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
 [2014-07-14 22:54 UTC]
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '',8888);
socket_write($f, "Hello\n", -1);

Actual result:
Warning: socket_write(): unable to write to socket [14]: Bad address


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC]
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
 [2020-09-01 13:22 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-01 13:22 UTC]
Fixed as of PHP 7.1.25 and 7.2.13, repectively.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Jun 10 04:03:38 2023 UTC