Skip to content

Commit

Permalink
Initialize s_un (sockaddr_un) to zero before using it. Fixes #76839.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmeyer724 @weltling
mmeyer724 authored and weltling committed Dec 26, 2018
1 parent 3c7dc7b commit 3c42c78
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ext/sockets/sockets.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1778,7 +1778,9 @@ PHP_FUNCTION(socket_recvfrom)
switch (php_sock->type) {
case AF_UNIX:
slen = sizeof(s_un);
memset(&s_un, 0, slen);
s_un.sun_family = AF_UNIX;

retval = recvfrom(php_sock->bsd_socket, ZSTR_VAL(recv_buf), arg3, arg4, (struct sockaddr *)&s_un, (socklen_t *)&slen);

if (retval < 0) {
Expand Down
65 changes: 65 additions & 0 deletions ext/sockets/tests/bug76839.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
--TEST--
Bug #76839: socket_recvfrom may return an invalid 'from' address on MacOS
--SKIPIF--
<?php
if (strtolower(substr(PHP_OS, 0, 3)) === 'win') {
die('skip not valid for Windows.');
}
if (!extension_loaded('sockets')) {
die('skip sockets extension not available.');
}
--FILE--
<?php

// This bug only occurs when a specific portion of memory is unclean.
// Unforunately, looping around 10 times and using random paths is the
// best way I could manage to reproduce this problem without modifying php itself :-/

for ($i = 0; $i < 10; $i++) {
$senderSocketPath = '/tmp/' . substr(md5(rand()), 0, rand(8, 16)) . '.sock';
$senderSocket = socket_create(AF_UNIX, SOCK_DGRAM, 0);
socket_bind($senderSocket, $senderSocketPath);

$receiverSocketPath = '/tmp/' . substr(md5(rand()), 0, rand(8, 16)) . '.sock';
$receiverSocket = socket_create(AF_UNIX, SOCK_DGRAM, 0);
socket_bind($receiverSocket, $receiverSocketPath);

// Send message from sender socket to receiver socket
socket_sendto($senderSocket, 'Ping!', 5, 0, $receiverSocketPath);

// Receive message on receiver socket
$from = '';
$message = '';
socket_recvfrom($receiverSocket, $message, 65535, 0, $from);
echo "Received '$message'\n";

// Respond to the sender using the 'from' address from socket_recvfrom
socket_sendto($receiverSocket, 'Pong!', 5, 0, $from);
echo "Responded to sender with 'Pong!'\n";

socket_close($receiverSocket);
unlink($receiverSocketPath);
socket_close($senderSocket);
unlink($senderSocketPath);
}
--EXPECT--
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'
Received 'Ping!'
Responded to sender with 'Pong!'

0 comments on commit 3c42c78

Please sign in to comment.