|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-08-12 01:19 UTC] felipe@php.net
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: dmitry
[2017-10-24 07:57 UTC] kalle@php.net
-Status: Assigned
+Status: Open
-Assigned To: dmitry
+Assigned To:
[2020-11-11 14:00 UTC] cmb@php.net
-Status: Open
+Status: Feedback
-Assigned To:
+Assigned To: cmb
[2020-11-11 14:00 UTC] cmb@php.net
[2020-11-22 04:22 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 17:00:02 2025 UTC |
Description: ------------ The PHP SOAP extension passes unsafe zvals as arguments to user functions (for example, __doRequest.) If that user function saves a reference to those zvals, it leads to memory corruption, generally resulting in a segmentation fault. Two example problems from ext/soap/soap.c. The whole SOAP extension needs to be audited for this: (1) Allocating a zval on the stack, then passing a pointer to that zval into a user function: zval param0; params[0] = ¶m0; call_user_function(..., params ...); (2) Failing to duplicate string buffers: // 'buf' is freed while references to its zval potentially still exist xmlDocDumpMemory(request, (xmlChar**)&buf, &buf_size); ZVAL_STRINGL(params[0], buf, buf_size, 0); // needs to be ", 1);" call_user_function(..., params ...); xmlFree(buf); static int do_request(..., char *location, ...) { // 'location' is malloc memory that may be freed before the zval ZVAL_STRING(params[1], location, 0); // needs to be ", 1);" call_user_function(..., params ...); Test script: --------------- <?php class CorruptSoap extends SoapClient { function __doRequest($request, $location, $action, $version, $one_way) { global $params; $params = array( 'request' => $request, 'location' => $location, 'action' => $action, 'version' => $version, 'one_way' => $one_way); debug_zval_dump($params); // Before return ""; } } $x = new CorruptSoap(NULL, array('location' => 'http://location/', 'uri' => 'http://uri/')); $x->Test(); debug_zval_dump($params); // After ?> Expected result: ---------------- The before/after debug_zval_dump output should look the same, with slightly different (but valid) reference counts. Actual result: -------------- Before the stack gets smashed: array(5) refcount(1){ ["request"]=> string(375) "<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://uri/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:Test/></SOAP-ENV:Body></SOAP-ENV:Envelope> " refcount(5) ["location"]=> string(16) "http://location/" refcount(5) ["action"]=> string(16) "http://uri/#Test" refcount(5) ["version"]=> long(1) refcount(5) ["one_way"]=> long(0) refcount(5) } After the stack has been smashed: array(5) refcount(2){ ["request"]=> NULL refcount(0) ["location"]=> NULL refcount(0) ["action"]=> NULL refcount(0) ["version"]=> NULL refcount(10153504) ["one_way"]=> NULL refcount(0) }