|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67619 Length parameters in socket_write() etc. may be negative
Submitted: 2014-07-14 22:54 UTC Modified: 2020-09-01 13:22 UTC
Avg. Score:2.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: Assigned: cmb (profile)
Status: Closed Package: Sockets related
PHP Version: 7.2.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2014-07-14 22:54 UTC]
In socket_write(), socket_send() and socket_sendto(), it is not checked whether the length parameter is negative. If it is negative, it will be converted to a size_t for the underlying syscall, so a write of more than 2GB will be requested. In my testing, this fails with EFAULT. It is conceivable that it may instead be a buffer overflow on some embedded systems.

I suggest validating the length parameter.

Test script:
$f = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
socket_connect($f, '',8888);
socket_write($f, "Hello\n", -1);

Actual result:
Warning: socket_write(): unable to write to socket [14]: Bad address


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-26 13:25 UTC]
-Status: Open +Status: Verified -PHP Version: 5.6Git-2014-07-14 (Git) +PHP Version: 7.2.4
 [2020-09-01 13:22 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-01 13:22 UTC]
Fixed as of PHP 7.1.25 and 7.2.13, repectively.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 17 22:01:28 2024 UTC