ext/sockets: follow-up on phpGH-17300 to check hints value ranges.

close phpGH-17326
DanielEScherzer · Jan 4, 2025 · c7a322c · c7a322c
1 parent 0a69e14
commit c7a322c
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -90,6 +90,8 @@ PHP                                                                        NEWS
     (David Carlier)
   . socket_addrinfo_lookup throws an exception on invalid hints value types.
     (David Carlier)
+  . socket_addrinfo_lookup throws an exception if any of the hints value
+    overflows. (David Carlier)
 
 - Standard:
   . Fixed crypt() tests on musl when using --with-external-libcrypt

diff --git a/UPGRADING b/UPGRADING
@@ -128,7 +128,8 @@ PHP 8.5 UPGRADE NOTES
   . socket_create_listen, socket_bind and socket_sendto throw a
     ValueError if the port is lower than 0 or greater than 65535.
   . socket_addrinfo_lookup throw a TypeError if any of the hints
-    values cannot be cast to a int.
+    values cannot be cast to a int and can throw a ValueError if
+    any of these values overflow.
 
 - Zlib:
   . The "use_include_path" argument for the

diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
@@ -2583,6 +2583,12 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 
 	memset(&hints, 0, sizeof(hints));
 
+#if defined(PHP_WIN32)
+#  if !defined(AF_MAX)
+#    define AF_MAX (AF_BTH + 1)
+#  endif
+#endif
+
 	if (zhints && !HT_IS_PACKED(Z_ARRVAL_P(zhints))) {
 		ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zhints), key, hint) {
 			if (key) {
@@ -2593,27 +2599,43 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 						zend_argument_type_error(3, "\"ai_flags\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_flags\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_flags = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_socktype")) {
 					zend_long val = zval_try_get_long(hint, &failed);
 					if (failed) {
 						zend_argument_type_error(3, "\"ai_socktype\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_socktype\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_socktype = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_protocol")) {
 					zend_long val = zval_try_get_long(hint, &failed);
 					if (failed) {
 						zend_argument_type_error(3, "\"ai_protocol\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_protocol\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_protocol = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_family")) {
 					zend_long val = zval_try_get_long(hint, &failed);
 					if (failed) {
 						zend_argument_type_error(3, "\"ai_family\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val >= AF_MAX) {
+						zend_argument_value_error(3, "\"ai_family\" key must be between 0 and %d", AF_MAX - 1);
+						RETURN_THROWS();
+					}
 					hints.ai_family = (int)val;
 				} else {
 					zend_argument_value_error(3, "must only contain array keys \"ai_flags\", \"ai_socktype\", "

diff --git a/ext/sockets/tests/socket_getaddrinfo_error.phpt b/ext/sockets/tests/socket_getaddrinfo_error.phpt
@@ -44,9 +44,53 @@ try {
 } catch (\TypeError $e) {
 	echo $e->getMessage() . PHP_EOL;
 }
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => PHP_INT_MAX,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => 0,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => -1,
+		'ai_flags' => 0,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => -256,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => 0,
+		'ai_protocol' => PHP_INT_MIN,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
 ?>
---EXPECT--
+--EXPECTF--
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_family" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_socktype" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_flags" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_protocol" key must be of type int, stdClass given
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_family" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_socktype" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_flags" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_protocol" key must be between 0 and %d