Skip to content

Fix socket_recvfrom overflow on buffer size. #16382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix socket_recvfrom overflow on buffer size. #16382

wants to merge 1 commit into from

Conversation

devnexen
Copy link
Member

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'

@devnexen devnexen force-pushed the socket_recv_overflow branch from ab7afe8 to 85f45d1 Compare October 12, 2024 04:27
@devnexen devnexen force-pushed the socket_recv_overflow branch from 85f45d1 to e40cde0 Compare October 12, 2024 05:26
@devnexen devnexen marked this pull request as ready for review October 12, 2024 05:26
nielsdos
nielsdos requested changes Oct 12, 2024
View reviewed changes
Copy link
Member

@nielsdos nielsdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM apart from the test failure.

ext/sockets/tests/socket_recv_overflow.phpt
--EXTENSIONS--
sockets
--FILE--
<?php
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test fails on Windows, also a bit of a weird indentation: normally we don't indent tests outer scope?

Copy link
Member Author

@devnexen devnexen Oct 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes that was just quick copy paste from my local messy test :)

ext/sockets/sockets.c
@@ -1402,7 +1402,8 @@ PHP_FUNCTION(socket_recvfrom)

/* overflow check */
/* Shouldthrow ? */
if ((arg3 + 2) < 3) {

if (arg3 <= 0 || arg3 > ZEND_LONG_MAX - 1) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original code also intended to disallow ZEND_LONG_MAX-1, not sure why. I think what you did is fine though.

@devnexen
Fix socket_recvfrom overflow on buffer size.
3a861aa 
when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'`
@devnexen devnexen force-pushed the socket_recv_overflow branch from e40cde0 to 3a861aa Compare October 12, 2024 09:25
nielsdos
nielsdos approved these changes Oct 12, 2024
View reviewed changes
Copy link
Member

@nielsdos nielsdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use PHP_OS_FAMILY == "Windows", which is simpler, but what you did is fine too.

@devnexen devnexen closed this in e583890 Oct 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nielsdos nielsdos nielsdos approved these changes

Assignees
No one assigned
Labels
Extension: sockets
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@devnexen @nielsdos