PHP :: Bug #21167 :: ldapclose() SEGFAULTs

Bug #21167

ldapclose() SEGFAULTs

Submitted:

2002-12-23 12:06 UTC

Modified:

2003-01-15 13:25 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

rsaura at retevision dot es

Assigned:

Status:

Not a bug

Package:

LDAP related

PHP Version:

4.2.2

OS:

Linux Redhat 8.0

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	rsaura at retevision dot es
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-12-23 12:06 UTC] rsaura at retevision dot es

The following code will segfault with php-4.2.2 on RH-8.0
It queries a Microsoft Active Directory via LDAPv3.
It is suposed to create a session if a given user exists in the directory, belongs to a given group and can bind to the directory with the given password.

$ds=ldap_connect($LDAP_SERVER);
if($ds){

        ldap_bind($ds, $QUERYUSER_DN, $QUERYUSER_PASS);
        $err=ldap_errno($ds);
        if($err==0){
                $sr=ldap_search($ds, $BASE_DN, "samaccountname=rsaura", array ("distinguishedName"), 0, 10000, 30, LDAP_DEREF_NEVER);
                $entry = ldap_first_entry($ds, $sr);
                if($entry == FALSE){
                        exit;
                }
                $attrs = ldap_get_attributes($ds, $entry);
                $dn = $attrs["distinguishedName"][0];

                $test=0;
                $sr = ldap_search($ds, $BASE_DN, $GROUP_MEMBERSHIP, array ("member"), 0, 10000, 30, LDAP_DEREF_NEVER);
                $entry = ldap_first_entry($ds, $sr);
                $attrs = ldap_get_attributes($ds, $entry);
                foreach ($attrs["member"] as $user){
                        if($user==$dn){
                                $test=1;
                                break;
                        }
                }
                if($test==0){
                        exit;
                }
                ldap_close($ds); <---segfaults here!
        } else {
                exit;
        }
} else {
        exit;
}

$ds=ldap_connect($LDAP_SERVER);

if($ds){
        ldap_bind($ds, $dn, $password);
	$err=ldap_errno($ds);
	if($err==0){
		$loginok=1;
	} else {
                exit;   
	}
	ldap_close($ds);
} else {
	exit;
}

if($loginok == 1){
	session_start();
	session_register("loginok");
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-23 12:07 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2002-12-23 12:25 UTC] rsaura at retevision dot es

It works with php4-200212231630.

Does anybody know if this is patched on a production release?

[2002-12-23 12:27 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

The 4.3.0 release will soon be released as 'stable', the RC4 is probably 99.5% of what the 4.3.0 final will be. If using 4.3.0 solves the bug, that is the release you should probably use.

[2003-01-03 09:21 UTC] rsaura at retevision dot es

Erroneously closed.

The above code segfaults spuriously on 4.2.2, 4.3.0 and 4.4.0-dev (latest CVS snapshot) on RH-8.0 linux system with the following ldap libraries installed:

[root@avipsa64 root]# rpm -qa |grep ldap
nss_ldap-198-3
openldap-devel-2.0.25-1
openldap-clients-2.0.25-1
openldap-2.0.25-1

SIGSEGVs with CGI and DSO versions.

the stack backtrace on the core file shows:

[root@avipsa64 vmps]# gdb -c core.22324
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `/home/rsaura/php-4.3.0/sapi/cgi/php -f pp.php4'.
Program terminated with signal 11, Segmentation fault.
#0  0x40055615 in ?? ()
(gdb) bt
#0  0x40055615 in ?? ()
#1  0x4004e62c in ?? ()
#2  0x4004e38b in ?? ()
#3  0x4004e66f in ?? ()
#4  0x0807bbab in ?? ()
#5  0x081165c1 in ?? ()
#6  0x081152cb in ?? ()
#7  0x081163e1 in ?? ()
#8  0x0807c160 in ?? ()
#9  0x0811ca3a in ?? ()
#10 0x08111f0b in ?? ()
#11 0x080f175c in ?? ()
#12 0x08120b0f in ?? ()
#13 0x420158d4 in ?? ()
(gdb) q
[root@avipsa64 vmps]# ldd /home/rsaura/php-4.3.0/sapi/cgi/php
        libexpat.so.0 => /usr/lib/libexpat.so.0 (0x4001c000)
        libldap.so.2 => /usr/lib/libldap.so.2 (0x4003d000)
        liblber.so.2 => /usr/lib/liblber.so.2 (0x40067000)
        libz.so.1 => /usr/lib/libz.so.1 (0x40072000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40080000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x400ad000)
        libm.so.6 => /lib/i686/libm.so.6 (0x400bf000)
        libdl.so.2 => /lib/libdl.so.2 (0x400e2000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x400e5000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x400fa000)
        libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
        libsasl.so.7 => /usr/lib/libsasl.so.7 (0x401a2000)
        libssl.so.2 => /lib/libssl.so.2 (0x401ad000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x401de000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
        libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x402b2000)
        libpam.so.0 => /lib/libpam.so.0 (0x402b9000)
[root@avipsa64 vmps]#

the faults seems to happen inside libldap.

best regards.

[2003-01-03 11:49 UTC] iliaa@php.net

Could you compile your PHP with --enable-debug flag, so that your backtrace contains more information.

[2003-01-03 14:19 UTC] rsaura at retevision dot es

I've configured PHP-4.3.0 this way:

./configure --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --with-config-file-path=/etc --enable-force-cgi-redirect --enable-debug --enable-pic --disable-rpath --enable-inline-optimization --with-dom=/usr --with-exec-dir=/usr/bin --with-gettext --with-regex=system --with-xml --with-expat-dir=/usr --with-zlib --with-layout=GNU --enable-exif --enable-ftp --enable-magic-quotes --enable-safe-mode --enable-sockets --enable-sysvsem --enable-sysvshm --enable-discard-path --enable-track-vars --enable-trans-sid --with-pear=/usr/share/pear --with-ldap --enable-memory-limit --enable-shmop --enable-versioning

but the new core file does not show any debug symbol:

[root@avipsa64 vmps]# gdb -c core.23469
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `/home/rsaura/php-4.3.0/sapi/cgi/php -f pp.php4'.
Program terminated with signal 11, Segmentation fault.
#0  0x40055615 in ?? ()
(gdb) bt
#0  0x40055615 in ?? ()
#1  0x4004e62c in ?? ()
#2  0x4004e38b in ?? ()
#3  0x4004e66f in ?? ()
#4  0x08084347 in ?? ()
#5  0x08155369 in ?? ()
#6  0x081534e7 in ?? ()
#7  0x081550c9 in ?? ()
#8  0x08084aad in ?? ()
#9  0x0815e1b6 in ?? ()
#10 0x0814e864 in ?? ()
#11 0x0811fb1a in ?? ()
#12 0x08164322 in ?? ()
#13 0x420158d4 in ?? ()
(gdb)

[2003-01-05 13:37 UTC] iliaa@php.net

Did you do make clean & removed config.cache before compiling PHP with --enable-debug flag?
Also, try running the php via gdb,
gdb /home/rsaura/php-4.3.0/sapi/cgi/php
run -f pp.php4

If your php binary does have debug symbols and the backtrace is still uninformative it is likely the crash is occuring within the ldap library itself.

[2003-01-05 16:10 UTC] rsaura at retevision dot es

iliaa,

>Did you do make clean & removed config.cache before >compiling PHP with --enable-debug flag?

yes, i did.

>Also, try running the php via gdb,
>gdb /home/rsaura/php-4.3.0/sapi/cgi/php
>run -f pp.php4

here you are...

[root@avipsa64 vmps]# gdb /home/rsaura/php-4.3.0/sapi/cgi/php
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) run -f pp.php4
Starting program: /home/rsaura/php-4.3.0/sapi/cgi/php -f pp.php4

Program received signal SIGSEGV, Segmentation fault.
0x40055615 in ldap_free_request () from /usr/lib/libldap.so.2
(gdb) bt
#0  0x40055615 in ldap_free_request () from /usr/lib/libldap.so.2
#1  0x4004e62c in ldap_ld_free () from /usr/lib/libldap.so.2
#2  0x4004e38b in ldap_unbind_ext () from /usr/lib/libldap.so.2
#3  0x4004e66f in ldap_unbind_s () from /usr/lib/libldap.so.2
#4  0x08084347 in _close_ldap_link (rsrc=0x820c8d4)
    at /home/rsaura/php-4.3.0/ext/ldap/ldap.c:175
#5  0x08155369 in list_entry_destructor (ptr=0x820c8d4)
    at /home/rsaura/php-4.3.0/Zend/zend_list.c:177
#6  0x081534e7 in zend_hash_del_key_or_index (ht=0x81b01e8, arKey=0x0,
    nKeyLength=0, h=3, flag=1) at /home/rsaura/php-4.3.0/Zend/zend_hash.c:514
#7  0x081550c9 in _zend_list_delete (id=3)
    at /home/rsaura/php-4.3.0/Zend/zend_list.c:56
#8  0x08084aad in zif_ldap_unbind (ht=1, return_value=0x820c894, this_ptr=0x0,
    return_value_used=0) at /home/rsaura/php-4.3.0/ext/ldap/ldap.c:482
#9  0x0815e1b6 in execute (op_array=0x820c49c)
    at /home/rsaura/php-4.3.0/Zend/zend_execute.c:1596
#10 0x0814e864 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /home/rsaura/php-4.3.0/Zend/zend.c:864
#11 0x0811fb1a in php_execute_script (primary_file=0xbffffaa0)
    at /home/rsaura/php-4.3.0/main/main.c:1573
#12 0x08164322 in main (argc=3, argv=0xbffffb44)
    at /home/rsaura/php-4.3.0/sapi/cgi/cgi_main.c:1424
#13 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
(gdb)

>If your php binary does have debug symbols and the 
>backtrace is still
>uninformative it is likely the crash is occuring within >the ldap library itself.

Indeed the symbol information shows it segfaulting on libldap.so (as sugested) but ldap-clients & ldap PAM module work fine here.

thanks.

[2003-01-15 13:25 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

The segfault occurs 4 levels deep inside the ldap library itself. It is more then likely that the bug is not in PHP but rather in the ldap library you are using.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 02:00:01 2025 UTC