Validate length on socket_write

author Thiago Carvalho <thiago.oak@gmail.com>

Sun, 21 Oct 2018 19:42:29 +0000 (21:42 +0200)

committer Joe Watkins <krakjoe@php.net>

Tue, 13 Nov 2018 11:56:37 +0000 (12:56 +0100)
author Thiago Carvalho <thiago.oak@gmail.com>
Sun, 21 Oct 2018 19:42:29 +0000 (21:42 +0200)
committer Joe Watkins <krakjoe@php.net>
Tue, 13 Nov 2018 11:56:37 +0000 (12:56 +0100)
diff --git a/NEWS b/NEWS

index a31a6fa4f21b8d5f7808c5e93c3d2281a4fe1ea9..f6ae98fe7bf9d1a55a86e52bebd5aaad888d8da6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ PHP                                                                        NEWS
    . Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb)
    . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb)
  
+- Sockets:
+  . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
+
  08 Nov 2018, PHP 7.1.24
  
  - Core:
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c

index df0cd398cd790d4bc2ee11e97620d0feeacbb59e..6a3d26d06e7351030e0a48c7ad71017e4550773f 100644 (file)
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1113,6 +1113,11 @@ PHP_FUNCTION(socket_write)
                 return;
         }
  
+       if (length < 0) {
+               php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+               RETURN_FALSE;
+       }
+
         if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
                 RETURN_FALSE;
         }
@@ -1655,6 +1660,11 @@ PHP_FUNCTION(socket_send)
                 return;
         }
  
+       if (len < 0) {
+               php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+               RETURN_FALSE;
+       }
+
         if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
                 RETURN_FALSE;
         }
@@ -1817,6 +1827,11 @@ PHP_FUNCTION(socket_sendto)
                 return;
         }
  
+       if (len < 0) {
+               php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+               RETURN_FALSE;
+       }
+
         if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
                 RETURN_FALSE;
         }
diff --git a/ext/sockets/tests/socket_send_params.phpt b/ext/sockets/tests/socket_send_params.phpt

new file mode 100644 (file)

index 0000000..44be133
--- /dev/null
+++ b/ext/sockets/tests/socket_send_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_send - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_send($s_c, "foo", -1, MSG_OOB);
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_send(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_sendto_params.phpt b/ext/sockets/tests/socket_sendto_params.phpt

new file mode 100644 (file)

index 0000000..f232258
--- /dev/null
+++ b/ext/sockets/tests/socket_sendto_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_sendto - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1');
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_sendto(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_write_params.phpt b/ext/sockets/tests/socket_write_params.phpt

index 5d0f113ca02853e2df586dca58701b4e150ed10b..0ebd69192aa49eb1b5f1f7500670817a2c0abea2 100644 (file)
--- a/ext/sockets/tests/socket_write_params.phpt
+++ b/ext/sockets/tests/socket_write_params.phpt
@@ -17,6 +17,7 @@ fa@php.net
      $s_c = socket_create_listen(31330+$rand);
      $s_w = socket_write($s_c);
      $s_w = socket_write($s_c, "foo");
+    $s_w = socket_write($s_c, "foo", -1);
      socket_close($s_c);
  ?>
  --EXPECTF--
@@ -25,3 +26,5 @@ Warning: socket_write() expects at least 2 parameters, 0 given in %s on line %i
  Warning: socket_write() expects at least 2 parameters, 1 given in %s on line %i
  
  Warning: socket_write(): unable to write to socket [%i]: %a in %s on line %i
+
+Warning: socket_write(): Length cannot be negative in %s on line %i
author	Thiago Carvalho <thiago.oak@gmail.com>
	Sun, 21 Oct 2018 19:42:29 +0000 (21:42 +0200)
committer	Joe Watkins <krakjoe@php.net>
	Tue, 13 Nov 2018 11:56:37 +0000 (12:56 +0100)
NEWS		patch \| blob \| history
ext/sockets/sockets.c		patch \| blob \| history
ext/sockets/tests/socket_send_params.phpt	[new file with mode: 0644]	patch \| blob
ext/sockets/tests/socket_sendto_params.phpt	[new file with mode: 0644]	patch \| blob
ext/sockets/tests/socket_write_params.phpt		patch \| blob \| history