php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #50722 Memory corruption / SegFault with WSDL in-memory cache
Submitted: 2010-01-11 17:51 UTC Modified: 2021-02-21 04:22 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (33.3%)
From: meatloafninja at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: SOAP related
PHP Version: 5.2.12 OS: CentOS 5.x
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-01-11 17:51 UTC] meatloafninja at gmail dot com 
Description:
------------
If you enable WSDL caching and set the cache type to 2 (memory) or 3 (both disk and memory), and create a SoapServer with a WSDL, and within the context of that SoapServer create multiple SoapClient connections to external web services with WSDLs (exceeding the soap.wsdl_cache_limit setting), the SoapServer's in-memory copy of its own WSDL will get removed / freed.

This causes a segmentation fault of the web server child process or a corrupt / invalid XML response, as the SoapServer will be unable to access its own WSDL when the time comes to send its response to the original requesting client.

The SoapServer WSDL should be protected from removal.



Reproduce code:
---------------
<?php
ini_set('soap.wsdl_cache_enabled', 1);
ini_set('soap.wsdl_cache', 3);

function test($x)
{
    $client1 = new SoapClient("http://some.other.host/client1.wsdl");
    $client2 = new SoapClient("http://some.other.host/client2.wsdl");
    $client3 = new SoapClient("http://some.other.host/client3.wsdl");
    $client4 = new SoapClient("http://some.other.host/client4.wsdl");
    $client5 = new SoapClient("http://some.other.host/client5.wsdl");

    return $x; //web server segfaults or corrupt XML returned
}

$server = new SoapServer("server.wsdl");
$server->addFunction("test");
$server->handle();
?>

Expected result:
----------------
A valid XML response as defined by server.wsdl.

Actual result:
--------------
Either a segmentation fault on the web server and a "Could not fetch HTTP headers" error on the client, or a corrupted XML response.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-11 20:48 UTC] srinatar@php.net 
sounds similar to bug #50675 (See Also)
 [2010-01-13 13:34 UTC] srinatar@php.net 
thanks for taking time to report this issue to us. can u please try to 
reproduce this issue with the latest snapshot. i am currently not able 
to reproduce with the latest snapshot. 

you can get the latest snapshot php source from

http://snaps.php.net/

For Windows:

http://windows.php.net/snapshots/
 [2010-01-14 23:30 UTC] meatloafninja at gmail dot com 
It is not fixed, I can still reproduce the segmentation fault with the snapshot version.
 [2016-11-02 23:02 UTC] gcarrette at wayfair dot com 
Experienced this bug in PHP 7.0.12 and
posted a script to reproduce in Bug #71931
since that has a lot more recent activity.
My backtrace was

Program received signal SIGSEGV, Segmentation fault.
#0  zend_hash_destroy (ht=0x24dec60) at php-7.0.12/Zend/zend_hash.c:1278
#1  0x000000000061720e in delete_type_persistent (zv=<optimized out>) at php-7.0.12/ext/soap/php_schema.c:2459
#2  0x000000000072f2dd in zend_hash_destroy (ht=0x2e23850) at php-7.0.12/Zend/zend_hash.c:1265
#3  0x000000000061e2a1 in delete_psdl_int (p=<optimized out>)  at php-7.0.12/ext/soap/php_sdl.c:3130
#4  0x000000000061e30f in delete_psdl (zv=0x23b9c30) at php-7.0.12/ext/soap/php_sdl.c:3150
#5  0x000000000072f221 in zend_hash_destroy (ht=0x11652a0) at php-7.0.12/Zend/zend_hash.c:1284
#6  0x00000000005ef729 in zm_shutdown_soap (type=<optimized out>, module_number=23) at php-7.0.12/ext/soap/soap.c:598
#7  0x00000000007252f3 in module_destructor (module=module@entry=0xf468c0) at php-7.0.12/Zend/zend_API.c:2503
#8  0x000000000071de4c in module_destructor_zval (zv=<optimized out>) at php-7.0.12/Zend/zend.c:615
#9  0x000000000072fd48 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>) at php-7.0.12/Zend/zend_hash.c:1026
#10 _zend_hash_del_el (p=0xf23500, idx=22, ht=0xf15e60 <module_registry>) at php-7.0.12/Zend/zend_hash.c:1050
#11 zend_hash_graceful_reverse_destroy (ht=ht@entry=0xf15e60 <module_registry>) at php-7.0.12/Zend/zend_hash.c:1502
#12 0x000000000072372c in zend_destroy_modules () at php-7.0.12/Zend/zend_API.c:1982
#13 0x000000000071edb5 in zend_shutdown () at php-7.0.12/Zend/zend.c:840
#14 0x00000000006c340b in php_module_shutdown () at php-7.0.12/main/main.c:2362
#15 0x0000000000435855 in main (argc=3, argv=0xf19c80) at php-7.0.12/sapi/cli/php_cli.c:135
 [2021-02-11 21:39 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-02-11 21:39 UTC] cmb@php.net 
If this is a duplicate of #71931, this is supposed to be fixed as of PHP 7.1.14 and 7.2.2, respectively.
 [2021-02-21 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 18:01:28 2024 UTC