ext/sockets: socket_sendto() add max addr length control for AF_UNIX.

we just mirror what is done for socket_connect()/AF_UNIX type.

close GH-21218

Author: devnexen

NEWS

@@ -41,6 +41,8 @@ PHP                                                                        NEWS
 - Sockets:
   . Fixed bug GH-21161 (socket_set_option() crash with array 'addr'
     entry as null). (David Carlier)
+  . Fixed possible addr length overflow with socket_connect() and AF_UNIX
+    family sockets. (David Carlier)
 
 - Windows:
   . Fixed compilation with clang (missing intrin.h include). (Kévin Dunglas)

ext/sockets/sockets.c

@@ -1584,6 +1584,12 @@ PHP_FUNCTION(socket_sendto)
 	switch (php_sock->type) {
 		case AF_UNIX:
 			memset(&s_un, 0, sizeof(s_un));
+
+			if (addr_len >= sizeof(s_un.sun_path)) {
+				zend_argument_value_error(5, "must be less than %d", sizeof(s_un.sun_path));
+				RETURN_THROWS();
+			}
+
 			s_un.sun_family = AF_UNIX;
 			snprintf(s_un.sun_path, sizeof(s_un.sun_path), "%s", addr);
 

ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt

@@ -0,0 +1,29 @@
+--TEST--
+socket_sendto() with AF_UNIX rejects address exceeding sun_path limit
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') {
+    die('skip not valid for Windows');
+}
+?>
+--FILE--
+<?php
+$socket = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+if (!$socket) {
+    die('Unable to create AF_UNIX socket');
+}
+
+$long_addr = str_repeat('a', 512);
+
+try {
+    socket_sendto($socket, "data", 4, 0, $long_addr);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+socket_close($socket);
+?>
+--EXPECTF--
+socket_sendto(): Argument #5 ($address) must be less than %d