From c3bd5d280e1f6806447d9e4f411d8508507f04cf Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 14 Feb 2026 16:43:34 +0000
Subject: [PATCH] ext/sockets: socket_sendto() add max addr length control for
 AF_UNIX.

we just mirror what is done for socket_connect()/AF_UNIX type.
---
 ext/sockets/sockets.c                         |  6 ++++
 .../socket_sendto_unix_addr_too_long.phpt     | 29 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt

diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index 5f0127e94f211..79d5f77856d5c 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1584,6 +1584,12 @@ PHP_FUNCTION(socket_sendto)
 	switch (php_sock->type) {
 		case AF_UNIX:
 			memset(&s_un, 0, sizeof(s_un));
+
+			if (addr_len >= sizeof(s_un.sun_path)) {
+				zend_argument_value_error(5, "must be less than %d", sizeof(s_un.sun_path));
+				RETURN_THROWS();
+			}
+
 			s_un.sun_family = AF_UNIX;
 			snprintf(s_un.sun_path, sizeof(s_un.sun_path), "%s", addr);
 
diff --git a/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt b/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt
new file mode 100644
index 0000000000000..f2b62527e3374
--- /dev/null
+++ b/ext/sockets/tests/socket_sendto_unix_addr_too_long.phpt
@@ -0,0 +1,29 @@
+--TEST--
+socket_sendto() with AF_UNIX rejects address exceeding sun_path limit
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') {
+    die('skip not valid for Windows');
+}
+?>
+--FILE--
+<?php
+$socket = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+if (!$socket) {
+    die('Unable to create AF_UNIX socket');
+}
+
+$long_addr = str_repeat('a', 512);
+
+try {
+    socket_sendto($socket, "data", 4, 0, $long_addr);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . PHP_EOL;
+}
+
+socket_close($socket);
+?>
+--EXPECTF--
+socket_sendto(): Argument #5 ($address) must be less than %d