|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2018-03-26 13:25 UTC
Avg. Score:2.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: Assigned:
Status: Verified Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-07-14 22:54 UTC]
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '',8888);
socket_write($f, "Hello\n", -1);

Actual result:
Warning: socket_write(): unable to write to socket [14]: Bad address


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC]
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jul 12 09:01:24 2020 UTC