From ec2e7a2d480cfe51e5a234354a50bb4c85fae155 Mon Sep 17 00:00:00 2001 From: Thiago Carvalho Date: Sun, 21 Oct 2018 21:42:29 +0200 Subject: [PATCH] Validate length on socket_write --- NEWS | 3 +++ ext/sockets/sockets.c | 15 +++++++++++++++ ext/sockets/tests/socket_send_params.phpt | 17 +++++++++++++++++ ext/sockets/tests/socket_sendto_params.phpt | 17 +++++++++++++++++ ext/sockets/tests/socket_write_params.phpt | 3 +++ 5 files changed, 55 insertions(+) create mode 100644 ext/sockets/tests/socket_send_params.phpt create mode 100644 ext/sockets/tests/socket_sendto_params.phpt diff --git a/NEWS b/NEWS index a31a6fa4f2..f6ae98fe7b 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,9 @@ PHP NEWS . Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb) . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb) +- Sockets: + . Fixed bug #67619 (Validate length on socket_write). (thiagooak) + 08 Nov 2018, PHP 7.1.24 - Core: diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c index df0cd398cd..6a3d26d06e 100644 --- a/ext/sockets/sockets.c +++ b/ext/sockets/sockets.c @@ -1113,6 +1113,11 @@ PHP_FUNCTION(socket_write) return; } + if (length < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } @@ -1655,6 +1660,11 @@ PHP_FUNCTION(socket_send) return; } + if (len < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } @@ -1817,6 +1827,11 @@ PHP_FUNCTION(socket_sendto) return; } + if (len < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } diff --git a/ext/sockets/tests/socket_send_params.phpt b/ext/sockets/tests/socket_send_params.phpt new file mode 100644 index 0000000000..44be133bf9 --- /dev/null +++ b/ext/sockets/tests/socket_send_params.phpt @@ -0,0 +1,17 @@ +--TEST-- +ext/sockets - socket_send - test with incorrect parameters +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Warning: socket_send(): Length cannot be negative in %s on line %i diff --git a/ext/sockets/tests/socket_sendto_params.phpt b/ext/sockets/tests/socket_sendto_params.phpt new file mode 100644 index 0000000000..f232258ec0 --- /dev/null +++ b/ext/sockets/tests/socket_sendto_params.phpt @@ -0,0 +1,17 @@ +--TEST-- +ext/sockets - socket_sendto - test with incorrect parameters +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Warning: socket_sendto(): Length cannot be negative in %s on line %i diff --git a/ext/sockets/tests/socket_write_params.phpt b/ext/sockets/tests/socket_write_params.phpt index 5d0f113ca0..0ebd69192a 100644 --- a/ext/sockets/tests/socket_write_params.phpt +++ b/ext/sockets/tests/socket_write_params.phpt @@ -17,6 +17,7 @@ fa@php.net $s_c = socket_create_listen(31330+$rand); $s_w = socket_write($s_c); $s_w = socket_write($s_c, "foo"); + $s_w = socket_write($s_c, "foo", -1); socket_close($s_c); ?> --EXPECTF-- @@ -25,3 +26,5 @@ Warning: socket_write() expects at least 2 parameters, 0 given in %s on line %i Warning: socket_write() expects at least 2 parameters, 1 given in %s on line %i Warning: socket_write(): unable to write to socket [%i]: %a in %s on line %i + +Warning: socket_write(): Length cannot be negative in %s on line %i -- 2.40.0