php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50540 Segmentation fault while running ldap_next_reference
Submitted: 2009-12-21 09:29 UTC Modified: 2009-12-21 20:40 UTC
From: sriram dot natarajan at gmail dot com Assigned: srinatar (profile)
Status: Closed Package: LDAP related
PHP Version: 5.2SVN-2009-12-21 (snap) OS: RHEL5.2
Private report: No CVE-ID: None
 [2009-12-21 09:29 UTC] sriram dot natarajan at gmail dot com
Description:
------------
found segmentation fault on free with invalid pointer while running 
php ldap unit test cases on Redhat enterprise linux 5.2 (64-bit)

PASS ldap_next_attribute() - Testing ldap_next_attribute() that should 
fail [ext/ldap/tests/ldap_next_attribute_error.phpt]
PASS ldap_next_entry() - Basic ldap_first_entry test 
[ext/ldap/tests/ldap_next_entry_basic.phpt]
PASS ldap_next_entry() - Testing ldap_next_entry() that should fail 
[ext/ldap/tests/ldap_next_entry_error.phpt]
*** glibc detected *** /export/home/sriramn/php/sapi/cli/php: free(): 
invalid pointer: 0x00007fffe402f898 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3660e71634]
/lib64/libc.so.6(cfree+0x8c)[0x3660e74c5c]
/export/home/sriramn/php/sapi/cli/php[0x4e0ba2]
/export/home/sriramn/php/sapi/cli/php(list_entry_destructor+0x85)[0x6d
e62a]
/export/home/sriramn/php/sapi/cli/php(zend_hash_del_key_or_index+0x1fd
)[0x6dbe0b]
/export/home/sriramn/php/sapi/cli/php(_zend_list_delete+0x57)[0x6de116
]
/export/home/sriramn/php/sapi/cli/php(_zval_dtor_func+0xa3)[0x6cd79f]
/export/home/sriramn/php/sapi/cli/php[0x6bf1d8]
/export/home/sriramn/php/sapi/cli/php(_zval_ptr_dtor+0x36)[0x6bf3e0]
/export/home/sriramn/php/sapi/cli/php[0x6dc21b]
/export/home/sriramn/php/sapi/cli/php(zend_hash_graceful_reverse_destr
oy+0x27)[0x6dc30d]
/export/home/sriramn/php/sapi/cli/php(shutdown_executor+0x4d)[0x6beedc
]
/export/home/sriramn/php/sapi/cli/php(zend_deactivate+0x5f)[0x6cee43]
/export/home/sriramn/php/sapi/cli/php(php_request_shutdown+0x203)[0x67
c99d]
/export/home/sriramn/php/sapi/cli/php(main+0x1742)[0x74d7ef]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3660e1d8b4]
/export/home/sriramn/php/sapi/cli/php(realloc+0x409)[0x4467a9]

note: i haven't tried this on 32-bit. here, php is compiled in 32-bit.


Reproduce code:
---------------
- enable ldap server from RHEL 5.2 (64-bit)
- enable ldap server to run as root with secret as rootpw
- running php ldap unit test case causes segv.

Expected result:
----------------
- test pass successfully

Actual result:
--------------
- segv seen while running ldap_next_entry_*phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-21 09:33 UTC] srinatar@php.net
analyzing the core dump, got some more info..

#0  0x0000003662e0675d in ber_free () from /usr/lib64/liblber-2.3.so.0
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
#3  0x00000000006dbe0b in zend_hash_del_key_or_index (ht=0xaa99a8, 
arKey=0x0, nKeyLength=0, h=7, flag=1)
    at /export/home/sriramn/php/Zend/zend_hash.c:497
#4  0x00000000006de116 in _zend_list_delete (id=7) at 
/export/home/sriramn/php/Zend/zend_list.c:58
#5  0x00000000006cd79f in _zval_dtor_func (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.c:59
#6  0x00000000006bf1d8 in _zval_dtor (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.h:35
#7  0x00000000006bf3e0 in _zval_ptr_dtor (zval_ptr=0x9488ac0) at 
/export/home/sriramn/php/Zend/zend_execute_API.c:414
#8  0x00000000006dc21b in zend_hash_apply_deleter (ht=0xaa98a8, 
p=0x9488aa8) at /export/home/sriramn/php/Zend/zend_hash.c:611
#9  0x00000000006dc30d in zend_hash_graceful_reverse_destroy 
(ht=0xaa98a8) at /export/home/sriramn/php/Zend/zend_hash.c:646
#10 0x00000000006beedc in shutdown_executor () at 
/export/home/sriramn/php/Zend/zend_execute_API.c:239
#11 0x00000000006cee43 in zend_deactivate () at 
/export/home/sriramn/php/Zend/zend.c:860
#12 0x000000000067c99d in php_request_shutdown (dummy=0x0) at 
/export/home/sriramn/php/main/main.c:1504
#13 0x000000000074d7ef in main (argc=57, argv=0x7fff248479c8) at 
/export/home/sriramn/php/sapi/cli/php_cli.c:1346

#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) p *entry
$10 = {data = 0x94adf20, ber = 0x3d63642c6e69616d, id = 6}
(gdb) up
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
184                                             ld->list_dtor_ex(le 
TSRMLS_CC);
(gdb) ptype ld
type = struct _zend_rsrc_list_dtors_entry {
    void (*list_dtor)(void *);
    void (*plist_dtor)(void *);
    rsrc_dtor_func_t list_dtor_ex;
    rsrc_dtor_func_t plist_dtor_ex;
    char *type_name;
    int module_number;
    int resource_id;
    unsigned char type;
} *   
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) ptype entry
type = struct {
    LDAPMessage *data;
    BerElement *ber;
    int id;
} *   

 [2009-12-21 11:29 UTC] jani@php.net
Exactly what openldap version have you compiled PHP with?
 [2009-12-21 18:15 UTC] sriram dot natarajan at gmail dot com
sriramn@memcache]'php'>rpm -qa | grep openldap
openldap-devel-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
openldap-servers-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
[sriramn2@memcache]'php-5.2.12'>

ldap version is the default version that is shipped within RHEL 5.2.
 [2009-12-21 19:16 UTC] srinatar@php.net
changed the synopsis of the bug from Segmentation fault with 
"free:invalid pointer while running ldap unit tests

to 
core dump while running ldap_next_reference test cases.

i am testing a patch that addresses this issue.
 [2009-12-21 20:39 UTC] svn@php.net
Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&revision=292437
Log: Fixed bug #50540 (Crash within ldap_first_reference function)
 [2009-12-21 20:40 UTC] srinatar@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC