diff options
author | Thiago Carvalho <thiago.oak@gmail.com> | 2018-10-21 21:42:29 +0200 |
---|---|---|
committer | Joe Watkins <krakjoe@php.net> | 2018-11-13 12:56:37 +0100 |
commit | ec2e7a2d480cfe51e5a234354a50bb4c85fae155 (patch) | |
tree | a496d9797567cbc8d0b387e681d7b3eee2403c0f | |
parent | f6079e3c56eabe03565faceaef9de12728d278bf (diff) | |
download | php-git-ec2e7a2d480cfe51e5a234354a50bb4c85fae155.tar.gz |
Validate length on socket_write
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/sockets/sockets.c | 15 | ||||
-rw-r--r-- | ext/sockets/tests/socket_send_params.phpt | 17 | ||||
-rw-r--r-- | ext/sockets/tests/socket_sendto_params.phpt | 17 | ||||
-rw-r--r-- | ext/sockets/tests/socket_write_params.phpt | 3 |
5 files changed, 55 insertions, 0 deletions
@@ -13,6 +13,9 @@ PHP NEWS . Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb) . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb) +- Sockets: + . Fixed bug #67619 (Validate length on socket_write). (thiagooak) + 08 Nov 2018, PHP 7.1.24 - Core: diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c index df0cd398cd..6a3d26d06e 100644 --- a/ext/sockets/sockets.c +++ b/ext/sockets/sockets.c @@ -1113,6 +1113,11 @@ PHP_FUNCTION(socket_write) return; } + if (length < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } @@ -1655,6 +1660,11 @@ PHP_FUNCTION(socket_send) return; } + if (len < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } @@ -1817,6 +1827,11 @@ PHP_FUNCTION(socket_sendto) return; } + if (len < 0) { + php_error_docref(NULL, E_WARNING, "Length cannot be negative"); + RETURN_FALSE; + } + if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) { RETURN_FALSE; } diff --git a/ext/sockets/tests/socket_send_params.phpt b/ext/sockets/tests/socket_send_params.phpt new file mode 100644 index 0000000000..44be133bf9 --- /dev/null +++ b/ext/sockets/tests/socket_send_params.phpt @@ -0,0 +1,17 @@ +--TEST-- +ext/sockets - socket_send - test with incorrect parameters +--SKIPIF-- +<?php + if (!extension_loaded('sockets')) { + die('skip sockets extension not available.'); + } +?> +--FILE-- +<?php + $rand = rand(1,999); + $s_c = socket_create_listen(31330+$rand); + $s_w = socket_send($s_c, "foo", -1, MSG_OOB); + socket_close($s_c); +?> +--EXPECTF-- +Warning: socket_send(): Length cannot be negative in %s on line %i diff --git a/ext/sockets/tests/socket_sendto_params.phpt b/ext/sockets/tests/socket_sendto_params.phpt new file mode 100644 index 0000000000..f232258ec0 --- /dev/null +++ b/ext/sockets/tests/socket_sendto_params.phpt @@ -0,0 +1,17 @@ +--TEST-- +ext/sockets - socket_sendto - test with incorrect parameters +--SKIPIF-- +<?php + if (!extension_loaded('sockets')) { + die('skip sockets extension not available.'); + } +?> +--FILE-- +<?php + $rand = rand(1,999); + $s_c = socket_create_listen(31330+$rand); + $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1'); + socket_close($s_c); +?> +--EXPECTF-- +Warning: socket_sendto(): Length cannot be negative in %s on line %i diff --git a/ext/sockets/tests/socket_write_params.phpt b/ext/sockets/tests/socket_write_params.phpt index 5d0f113ca0..0ebd69192a 100644 --- a/ext/sockets/tests/socket_write_params.phpt +++ b/ext/sockets/tests/socket_write_params.phpt @@ -17,6 +17,7 @@ fa@php.net $s_c = socket_create_listen(31330+$rand); $s_w = socket_write($s_c); $s_w = socket_write($s_c, "foo"); + $s_w = socket_write($s_c, "foo", -1); socket_close($s_c); ?> --EXPECTF-- @@ -25,3 +26,5 @@ Warning: socket_write() expects at least 2 parameters, 0 given in %s on line %i Warning: socket_write() expects at least 2 parameters, 1 given in %s on line %i Warning: socket_write(): unable to write to socket [%i]: %a in %s on line %i + +Warning: socket_write(): Length cannot be negative in %s on line %i |