Fix socket_recvfrom overflow on buffer size.

devnexen · devnexen · commit e40cde068390 · 2024-10-12T06:01:15.000+01:00
when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'`
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
@@ -1402,7 +1402,8 @@ PHP_FUNCTION(socket_recvfrom)
 
 	/* overflow check */
 	/* Shouldthrow ? */
-	if ((arg3 + 2) < 3) {
+
+	if (arg3 <= 0 || arg3 > ZEND_LONG_MAX - 1) {
 		RETURN_FALSE;
 	}
 
diff --git a/ext/sockets/tests/socket_recv_overflow.phpt b/ext/sockets/tests/socket_recv_overflow.phpt
@@ -0,0 +1,14 @@
+--TEST--
+socket_recvfrom overflow on length argument
+--EXTENSIONS--
+sockets
+--FILE--
+<?php
+    $s = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+    $buf = $end = "";
+    var_dump(socket_recvfrom($s, $buf, PHP_INT_MAX, 0, $end));
+    var_dump(socket_recvfrom($s, $buf, -1, 0, $end));
+?>
+--EXPECT--
+bool(false)
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -1402,7 +1402,8 @@ PHP_FUNCTION(socket_recvfrom)`
`1402`	`1402`
`1403`	`1403`	`/* overflow check */`
`1404`	`1404`	`/* Shouldthrow ? */`
`1405`		`- if ((arg3 + 2) < 3) {`
	`1405`	`+`
	`1406`	`+ if (arg3 <= 0 \|\| arg3 > ZEND_LONG_MAX - 1) {`
`1406`	`1407`	`RETURN_FALSE;`
`1407`	`1408`	`}`
`1408`	`1409`