Fix socket_sendmsg() sending wrong fd for Socket objects in SCM_RIGHTS#22338
Open
iliaal wants to merge 1 commit into
Open
Fix socket_sendmsg() sending wrong fd for Socket objects in SCM_RIGHTS#22338iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
iliaal
added a commit
to iliaal/php-src
that referenced
this pull request
Jun 16, 2026
from_array_iterate() yields a 1-based index. The Socket-object branch of from_zval_write_fd_array_aux() wrote iarr[i] while the resource branch correctly used iarr[i - 1], so the first descriptor slot was left zeroed and every object descriptor was shifted up by one, with the last truncated by cmsg_len. socket_sendmsg() therefore transmitted the wrong descriptors (the first always fd 0) whenever a Socket object was passed in an SCM_RIGHTS control message. Closes phpGH-22338
iliaal
force-pushed
the
fix-scm-rights-fd
branch
from
9567392 to
fca8166
Compare
Member
|
fix itself lgtm, one suggestion for the test, send 1/2 fds in a single SCM_RIGHTS message. |
from_array_iterate() yields a 1-based index. The Socket-object branch of from_zval_write_fd_array_aux() wrote iarr[i] while the resource branch correctly used iarr[i - 1], so the first descriptor slot was left zeroed and every object descriptor was shifted up by one, with the last truncated by cmsg_len. socket_sendmsg() therefore transmitted the wrong descriptors (the first always fd 0) whenever a Socket object was passed in an SCM_RIGHTS control message. Closes phpGH-22338
iliaal
force-pushed
the
fix-scm-rights-fd
branch
from
fca8166 to
6da341f
Compare
Contributor
Author
|
@devnexen Done. |
devnexen
approved these changes
Jun 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
socket_sendmsg() transmits the wrong file descriptors when a Socket object is passed in an SCM_RIGHTS control message: the object branch of from_zval_write_fd_array_aux() indexes the fd array with the 1-based loop counter (iarr[i]) instead of iarr[i - 1] like the resource branch, so slot 0 stays zeroed and a single Socket object delivers fd 0 (stdin) to the receiver instead of the socket. Broken since the 8.0 resource-to-object conversion.
The existing socket_cmsg_rights.phpt only asserted is_resource() on the received descriptors, which masked this (the lost socket fd was replaced by stdin, still a stream); it now also accepts Socket objects.