php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2020-09-01 13:22 UTC
Votes:2
Avg. Score:2.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: tstarling@php.net Assigned: cmb (profile)
Status: Closed Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
 [2014-07-14 22:54 UTC] tstarling@php.net
Description:
------------
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
---------------
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '127.0.0.1',8888);
socket_write($f, "Hello\n", -1);


Actual result:
--------------
Warning: socket_write(): unable to write to socket [14]: Bad address


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
 [2020-09-01 13:22 UTC] cmb@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-01 13:22 UTC] cmb@php.net
Fixed as of PHP 7.1.25 and 7.2.13, repectively.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Oct 24 20:01:23 2020 UTC