PHP :: Bug #50540 :: Segmentation fault while running ldap_next

Bug #50540	Segmentation fault while running ldap_next_reference
Submitted:	2009-12-21 09:29 UTC	Modified:	2009-12-21 20:40 UTC
From:	sriram dot natarajan at gmail dot com	Assigned:	srinatar (profile)
Status:	Closed	Package:	LDAP related
PHP Version:	5.2SVN-2009-12-21 (snap)	OS:	RHEL5.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-12-21 09:29 UTC] sriram dot natarajan at gmail dot com

Description:
------------
found segmentation fault on free with invalid pointer while running 
php ldap unit test cases on Redhat enterprise linux 5.2 (64-bit)

PASS ldap_next_attribute() - Testing ldap_next_attribute() that should 
fail [ext/ldap/tests/ldap_next_attribute_error.phpt]
PASS ldap_next_entry() - Basic ldap_first_entry test 
[ext/ldap/tests/ldap_next_entry_basic.phpt]
PASS ldap_next_entry() - Testing ldap_next_entry() that should fail 
[ext/ldap/tests/ldap_next_entry_error.phpt]
*** glibc detected *** /export/home/sriramn/php/sapi/cli/php: free(): 
invalid pointer: 0x00007fffe402f898 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3660e71634]
/lib64/libc.so.6(cfree+0x8c)[0x3660e74c5c]
/export/home/sriramn/php/sapi/cli/php[0x4e0ba2]
/export/home/sriramn/php/sapi/cli/php(list_entry_destructor+0x85)[0x6d
e62a]
/export/home/sriramn/php/sapi/cli/php(zend_hash_del_key_or_index+0x1fd
)[0x6dbe0b]
/export/home/sriramn/php/sapi/cli/php(_zend_list_delete+0x57)[0x6de116
]
/export/home/sriramn/php/sapi/cli/php(_zval_dtor_func+0xa3)[0x6cd79f]
/export/home/sriramn/php/sapi/cli/php[0x6bf1d8]
/export/home/sriramn/php/sapi/cli/php(_zval_ptr_dtor+0x36)[0x6bf3e0]
/export/home/sriramn/php/sapi/cli/php[0x6dc21b]
/export/home/sriramn/php/sapi/cli/php(zend_hash_graceful_reverse_destr
oy+0x27)[0x6dc30d]
/export/home/sriramn/php/sapi/cli/php(shutdown_executor+0x4d)[0x6beedc
]
/export/home/sriramn/php/sapi/cli/php(zend_deactivate+0x5f)[0x6cee43]
/export/home/sriramn/php/sapi/cli/php(php_request_shutdown+0x203)[0x67
c99d]
/export/home/sriramn/php/sapi/cli/php(main+0x1742)[0x74d7ef]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3660e1d8b4]
/export/home/sriramn/php/sapi/cli/php(realloc+0x409)[0x4467a9]

note: i haven't tried this on 32-bit. here, php is compiled in 32-bit.


Reproduce code:
---------------
- enable ldap server from RHEL 5.2 (64-bit)
- enable ldap server to run as root with secret as rootpw
- running php ldap unit test case causes segv.

Expected result:
----------------
- test pass successfully

Actual result:
--------------
- segv seen while running ldap_next_entry_*phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-21 09:33 UTC] srinatar@php.net

analyzing the core dump, got some more info..

#0  0x0000003662e0675d in ber_free () from /usr/lib64/liblber-2.3.so.0
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
#3  0x00000000006dbe0b in zend_hash_del_key_or_index (ht=0xaa99a8, 
arKey=0x0, nKeyLength=0, h=7, flag=1)
    at /export/home/sriramn/php/Zend/zend_hash.c:497
#4  0x00000000006de116 in _zend_list_delete (id=7) at 
/export/home/sriramn/php/Zend/zend_list.c:58
#5  0x00000000006cd79f in _zval_dtor_func (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.c:59
#6  0x00000000006bf1d8 in _zval_dtor (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.h:35
#7  0x00000000006bf3e0 in _zval_ptr_dtor (zval_ptr=0x9488ac0) at 
/export/home/sriramn/php/Zend/zend_execute_API.c:414
#8  0x00000000006dc21b in zend_hash_apply_deleter (ht=0xaa98a8, 
p=0x9488aa8) at /export/home/sriramn/php/Zend/zend_hash.c:611
#9  0x00000000006dc30d in zend_hash_graceful_reverse_destroy 
(ht=0xaa98a8) at /export/home/sriramn/php/Zend/zend_hash.c:646
#10 0x00000000006beedc in shutdown_executor () at 
/export/home/sriramn/php/Zend/zend_execute_API.c:239
#11 0x00000000006cee43 in zend_deactivate () at 
/export/home/sriramn/php/Zend/zend.c:860
#12 0x000000000067c99d in php_request_shutdown (dummy=0x0) at 
/export/home/sriramn/php/main/main.c:1504
#13 0x000000000074d7ef in main (argc=57, argv=0x7fff248479c8) at 
/export/home/sriramn/php/sapi/cli/php_cli.c:1346

#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) p *entry
$10 = {data = 0x94adf20, ber = 0x3d63642c6e69616d, id = 6}
(gdb) up
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
184                                             ld->list_dtor_ex(le 
TSRMLS_CC);
(gdb) ptype ld
type = struct _zend_rsrc_list_dtors_entry {
    void (*list_dtor)(void *);
    void (*plist_dtor)(void *);
    rsrc_dtor_func_t list_dtor_ex;
    rsrc_dtor_func_t plist_dtor_ex;
    char *type_name;
    int module_number;
    int resource_id;
    unsigned char type;
} *   
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) ptype entry
type = struct {
    LDAPMessage *data;
    BerElement *ber;
    int id;
} *

[2009-12-21 11:29 UTC] jani@php.net

Exactly what openldap version have you compiled PHP with?

[2009-12-21 18:15 UTC] sriram dot natarajan at gmail dot com

sriramn@memcache]'php'>rpm -qa | grep openldap
openldap-devel-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
openldap-servers-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
[sriramn2@memcache]'php-5.2.12'>

ldap version is the default version that is shipped within RHEL 5.2.

[2009-12-21 19:16 UTC] srinatar@php.net

changed the synopsis of the bug from Segmentation fault with 
"free:invalid pointer while running ldap unit tests

to 
core dump while running ldap_next_reference test cases.

i am testing a patch that addresses this issue.

[2009-12-21 20:39 UTC] svn@php.net

Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&revision=292437
Log: Fixed bug #50540 (Crash within ldap_first_reference function)

[2009-12-21 20:40 UTC] srinatar@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC