Skip to content

GH-22617: avoid null byte truncation of persistent stream keys#22704

Open
devnexen wants to merge 2 commits into
php:PHP-8.4from
devnexen:gh22617
Open

GH-22617: avoid null byte truncation of persistent stream keys#22704
devnexen wants to merge 2 commits into
php:PHP-8.4from
devnexen:gh22617

Conversation

@devnexen

Copy link
Copy Markdown
Member

Abstract unix domain socket addresses begin with a null byte, but the persistent stream list is keyed by a NUL-terminated string. The key was truncated at that null byte, so distinct abstract sockets collapsed onto the same persistent resource in p(f)sockopen() and stream_socket_client().

Escape null bytes (and backslashes, to stay unambiguous) when building the persistent hash key so the full address is preserved.

Abstract unix domain socket addresses begin with a null byte, but the
persistent stream list is keyed by a NUL-terminated string. The key was
truncated at that null byte, so distinct abstract sockets collapsed onto
the same persistent resource in p(f)sockopen() and stream_socket_client().

Escape null bytes (and backslashes, to stay unambiguous) when building the
persistent hash key so the full address is preserved.

Fix php#22617
@devnexen devnexen marked this pull request as ready for review July 12, 2026 07:06
@devnexen devnexen requested a review from bukka as a code owner July 12, 2026 07:06
Comment thread main/streams/streams.c Outdated
zend_string *php_stream_escape_persistent_key(const char *host, size_t hostlen)
{
size_t escaped_len = 0, i;
for (i = 0; i < hostlen; i++) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the input length is bounded, this can allow a string length overflow on 32-bits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants