Validate length on socket_write

Author: thiagooak

NEWS

@@ -13,6 +13,9 @@ PHP                                                                        NEWS
   . Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb)
   . Fixed bug #77141 (Signedness issue in SOAP when precision=-1). (cmb)
 
+- Sockets:
+  . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
+
 08 Nov 2018, PHP 7.1.24
 
 - Core:

ext/sockets/sockets.c

@@ -1113,6 +1113,11 @@ PHP_FUNCTION(socket_write)
 		return;
 	}
 
+	if (length < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@@ -1655,6 +1660,11 @@ PHP_FUNCTION(socket_send)
 		return;
 	}
 
+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@@ -1817,6 +1827,11 @@ PHP_FUNCTION(socket_sendto)
 		return;
 	}
 
+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}

ext/sockets/tests/socket_send_params.phpt

@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_send - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_send($s_c, "foo", -1, MSG_OOB);
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_send(): Length cannot be negative in %s on line %i

ext/sockets/tests/socket_sendto_params.phpt

@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_sendto - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1');
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_sendto(): Length cannot be negative in %s on line %i

ext/sockets/tests/socket_write_params.phpt

@@ -17,6 +17,7 @@ fa@php.net
     $s_c = socket_create_listen(31330+$rand);
     $s_w = socket_write($s_c);
     $s_w = socket_write($s_c, "foo");
+    $s_w = socket_write($s_c, "foo", -1);
     socket_close($s_c);
 ?>
 --EXPECTF--
@@ -25,3 +26,5 @@ Warning: socket_write() expects at least 2 parameters, 0 given in %s on line %i
 Warning: socket_write() expects at least 2 parameters, 1 given in %s on line %i
 
 Warning: socket_write(): unable to write to socket [%i]: %a in %s on line %i
+
+Warning: socket_write(): Length cannot be negative in %s on line %i