- Fixed stack buffer overflow in socket_connect().

Found by: Mateusz Kocielski, Marek Kroemeke and Filip Palian
author: Felipe Pena <felipe@php.net> 2011-05-24 00:05:50 +0000
committer: Felipe Pena <felipe@php.net> 2011-05-24 00:05:50 +0000
commit: e9f4cfd6afae2efc6fe7bf9de5ba8944f3781c1f (patch)
tree: 16482d2d2a5dc5b080de79cd89aa9e6debc4bba9
parent: 00169ec00ffa56c761191de6ebeb47e9169feba1 (diff)
download: php-git-e9f4cfd6afae2efc6fe7bf9de5ba8944f3781c1f.tar.gz
2 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index f0cd89ba67..d555f020d5 100644
--- a/NEWS
+++ b/NEWS
@@ -118,6 +118,8 @@ PHP                                                                        NEWS
   . Fixed bug #54312 (soap_version logic bug). (tom at samplonius dot org)
 
 - Sockets extension:
+  . Fixed stack buffer overflow in socket_connect().
+    Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
   . Changed socket_set_block() and socket_set_nonblock() so they emit warnings
     on error. (Gustavo)
   . Fixed bug #51958 (socket_accept() fails on IPv6 server sockets). (Gustavo)
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index 91ae979827..048afe1c5f 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1336,6 +1336,11 @@ PHP_FUNCTION(socket_connect)
 			break;
 
 		case AF_UNIX:
+			if (addr_len >= sizeof(s_un.sun_path)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
+				RETURN_FALSE;
+			}
+				
 			memset(&s_un, 0, sizeof(struct sockaddr_un));
 
 			s_un.sun_family = AF_UNIX;
author	Felipe Pena <felipe@php.net>	2011-05-24 00:05:50 +0000
committer	Felipe Pena <felipe@php.net>	2011-05-24 00:05:50 +0000
commit	e9f4cfd6afae2efc6fe7bf9de5ba8944f3781c1f (patch)
tree	16482d2d2a5dc5b080de79cd89aa9e6debc4bba9
parent	00169ec00ffa56c761191de6ebeb47e9169feba1 (diff)
download	php-git-e9f4cfd6afae2efc6fe7bf9de5ba8944f3781c1f.tar.gz