PHP :: Bug #11806 :: Using $string = md5($string); crashed HTTP child processes

Bug #11806	Using $string = md5($string); crashed HTTP child processes
Submitted:	2001-06-29 14:04 UTC	Modified:	2001-09-09 07:38 UTC
From:	joe at nowalls dot com	Assigned:	derick (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	4.0.6	OS:	Linux 2.2.16
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2001-06-29 14:04 UTC] joe at nowalls dot com

PHP Options:
'./configure' '--with-mysql' '--with-gd' '--enable-track-vars' '--with-jpeg-dir=/usr/local/lib' '--enable-bcmath' '--with-apache=../apache_1.3.20' '--enable-ftp' '--enable-sockets' '--with-mcrypt'

The problem I am having is:

When using the code:

$cipher = md5($cipher); httpd crashes the current child process with:

[Fri Jun 29 10:54:49 2001] [notice] child pid 9766 exit signal Segmentation fault (11)
[Fri Jun 29 10:54:50 2001] [notice] child pid 9920 exit signal Segmentation fault (11)

The page then fails to load, returning nothing to the browser.

Also, I have another function called CleanSring($string);  which looks like:

function CleanString($string)
{
        $string = strip_tags($string);
        $string = preg_replace("/<\/?(html|head|meta|title|body|font|img|.jpg|.gif|.vbs|script|tr|table|text).*>/","",$string);
        $string = preg_replace("/<\/?(HTML|HEAD|META|TITLE|BODY|FONT|IMG|.JPG|.GIF|.VBS|SCRIPT|TR|TABLE|TEXT).*>/","",$string);
        $string = preg_replace("/<[^>]*>/","",$string);
        return $string;
}

Calling this function like:

$string = CleanString($string); causes the same problem.

Whats weird is I call md5() again below the problem code:

    $now = date("r");
    $thisID = md5(substr(makeID(), 0, 16));
    $onetimepass = substr(md5($thisID), 0, 8);

And neither of these causes the same problem, even when being used in the same document.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-06-30 05:10 UTC] derick@php.net

Can you please post your script as .txt file on the web, so that I can check how the $cipher is generated?
And is it possibly for you to make a backtrace of this crash (http://www.php.net/bugs-generating-backtrace.php) as I couldn't reproduce it.

Derick

[2001-06-30 21:52 UTC] joe at nowalls dot com

Update:

I have compiled php-4.0.6 with --enable-debug to try and get a backtrace, but when I do, the bug vanishes and the same code no longer crashed my httpd child process.. 

Here is some detailed info:

PHP 4.0.6 config line:
./configure  --with-mysql --with-gd --enable-track-vars --with-jpeg-dir=/usr/local/lib 
--enable-bcmath --with-apache=../apache_1.3.20 --enable-ftp --enable-sockets --with-mcrypt --enable-debug

and for Apache 1.3.20

EAPI_MM="../mm-1.1.3" \
SSL_BASE="../openssl-0.9.6a" \
./configure \
"--enable-module=ssl" \
"--with-layout=RedHat" \
"--activate-module=src/modules/php4/libphp4.a" \
"--enable-module=rewrite" \

The script that is causing this error is:
http://www.nerdnet.com/compose.phps

As you can see, a use submits a form, which is the source of $cipher, an alphanumeric string, which is then encrypted and other actions take place after.

I am not using the Zend Optimizer or anything unusual here at all... If I run the httpd thru gdb and reproduce the crash it gives me an error in shutdown_memory_manager() when it crashes, but not much else since the bug disappears when I compile in debug into PHP...  If any more info is needed let me know... Thanks PHP team, you guys rule!!!

Joe

[2001-07-01 06:45 UTC] derick@php.net

Hello,

with debug enabled, do you see any errors in either your httpd errorlog or in /var/log/zenderrors ?

Derick

[2001-07-01 12:14 UTC] joe at nowalls dot com

Derick,

Thanks I did not think to check there this time.  I see the following, even with the the $cipher = md5() and CleanString functions disabled:

[Sun Jul  1 09:11:55 2001]  Script:  '/home/nerdwww/compose.php'
---------------------------------------
mcrypt.c(1322) : Block 0x08429258 status:
Beginning:      OK (allocated on mcrypt.c:1252, 24 bytes)
      End:      Overflown (magic=0x35653364 instead of 0x2A8FCC84)
                At least 4 bytes overflown
---------------------------------------

Here are the calls I make using mcrypt outside of the compose.php script you have already seen:

http://www.nerdnet.com/functions.phps

Thanks again!

Joe

[2001-07-10 08:55 UTC] zeev@php.net

This should be fixed in the latest CVS - please let me know if the problem still occurs.

[2001-09-09 07:38 UTC] derick@php.net

No feedback, considered fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 06:01:28 2024 UTC