Commit b6495c189af for php.net
commit b6495c189aff4084827c49c8ec928bd84348d2cd
Author: David Carlier <devnexen@gmail.com>
Date: Sat Feb 14 16:43:34 2026 +0000
ext/sockets: socket_sendto() add max addr length control for AF_UNIX.
we just mirror what is done for socket_connect()/AF_UNIX type.
close GH-21218
diff --git a/NEWS b/NEWS
index 536eeafbb8b..b8c10e2be2f 100644
--- a/NEWS
+++ b/NEWS
@@ -41,6 +41,8 @@ PHP NEWS
- Sockets:
. Fixed bug GH-21161 (socket_set_option() crash with array 'addr'
entry as null). (David Carlier)
+ . Fixed possible addr length overflow with socket_connect() and AF_UNIX
+ family sockets. (David Carlier)
- Windows:
. Fixed compilation with clang (missing intrin.h include). (Kévin Dunglas)
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index 5f0127e94f2..79d5f77856d 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1584,6 +1584,12 @@ PHP_FUNCTION(socket_sendto)
switch (php_sock->type) {
case AF_UNIX:
memset(&s_un, 0, sizeof(s_un));
+
+ if (addr_len >= sizeof(s_un.sun_path)) {
+ zend_argument_value_error(5, "must be less than %d", sizeof(s_un.sun_path));
+ RETURN_THROWS();
+ }
+
s_un.sun_family = AF_UNIX;
snprintf(s_un.sun_path, sizeof(s_un.sun_path), "%s", addr);
diff --git a/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt b/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt
new file mode 100644
index 00000000000..f2b62527e33
--- /dev/null
+++ b/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt
@@ -0,0 +1,29 @@
+--TEST--
+socket_sendto() with AF_UNIX rejects address exceeding sun_path limit
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') {
+ die('skip not valid for Windows');
+}
+?>
+--FILE--
+<?php
+$socket = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+if (!$socket) {
+ die('Unable to create AF_UNIX socket');
+}
+
+$long_addr = str_repeat('a', 512);
+
+try {
+ socket_sendto($socket, "data", 4, 0, $long_addr);
+} catch (\ValueError $e) {
+ echo $e->getMessage() . PHP_EOL;
+}
+
+socket_close($socket);
+?>
+--EXPECTF--
+socket_sendto(): Argument #5 ($address) must be less than %d