php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2018-03-26 13:25 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tstarling@php.net Assigned:
Status: Verified Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-07-14 22:54 UTC] tstarling@php.net
Description:
------------
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
---------------
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '127.0.0.1',8888);
socket_write($f, "Hello\n", -1);


Actual result:
--------------
Warning: socket_write(): unable to write to socket [14]: Bad address


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 19 03:01:26 2018 UTC