PHP :: Bug #41353 :: openssl_pkcs12_read() does not verify the type of the first arg

Bug #41353	openssl_pkcs12_read() does not verify the type of the first arg
Submitted:	2007-05-10 13:23 UTC	Modified:	2007-05-13 17:37 UTC
From:	tony2001@php.net	Assigned:
Status:	Closed	Package:	OpenSSL related
PHP Version:	5CVS-2007-05-10 (CVS)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tony2001@php.net
New email:
PHP Version:		OS:

New Comment:

[2007-05-10 13:23 UTC] tony2001@php.net

Description:
------------
Function openssl_pkcs12_read() does not check the type of the first argument and uses it as a string in the call to BIO_write().
So if you pass a number as the first parameter, BIO_write() is called with a garbage params and segfaults.

Reproduce code:
---------------
$a = 2;
openssl_pkcs12_read(1, $a, 1);

Actual result:
--------------
(gdb) r -r '$a = 2; openssl_pkcs12_read(1, $a, 1);'
Starting program: /home/tony/php-src_5_2/sapi/cli/php -r '$a = 1; openssl_pkcs12_read(1, $a, 1);'
[Thread debugging using libthread_db enabled]
[New Thread 182900459904 (LWP 1209)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182900459904 (LWP 1209)]
0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
#1  0x0000000000ac9f4b in mem_write ()
#2  0x0000000000ac9136 in BIO_write ()
#3  0x0000000000499009 in zif_openssl_pkcs12_read (ht=3, return_value=0x2a95b92fe8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x1080450)
    at /home/tony/php-src_5_2/ext/openssl/openssl.c:1565
#4  0x0000000000a1693e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:200
#5  0x0000000000a1c49a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:1681
#6  0x0000000000a16246 in execute (op_array=0x2a95b928a0, tsrm_ls=0x1080450) at zend_vm_execute.h:92
#7  0x00000000009cc67e in zend_eval_string (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1148
#8  0x00000000009cc8ca in zend_eval_string_ex (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    handle_exceptions=1, tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1182
#9  0x0000000000a92527 in main (argc=3, argv=0x7fbffff9e8) at /home/tony/php-src_5_2/sapi/cli/php_cli.c:1177

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-13 17:37 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC