PHP :: Bug #49424 :: ldap_search segfault Apache procees

Bug #49424

ldap_search segfault Apache procees

Submitted:

2009-08-31 15:53 UTC

Modified:

2009-09-01 08:43 UTC

Votes:	2
Avg. Score:	4.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

jaroslav dot pulchart at centrum dot cz

Assigned:

patrickallaert (profile)

Status:

Closed

Package:

LDAP related

PHP Version:

5.2.10

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jaroslav dot pulchart at centrum dot cz
New email:
PHP Version:		OS:

New Comment:

[2009-08-31 15:53 UTC] jaroslav dot pulchart at centrum dot cz

Description:
------------
Fix 48441 in PHP 5.2.10 (http://bugs.php.net/bug.php?id=48441) restore previous LDAP options, but it doesn't test if LDAP link pointer is NULL. This issue segfault Apache/PHP process.




Reproduce code:
---------------
ext/ldap/ldap.c
... 
ld = (ldap_linkdata *) zend_fetch_resource(link TSRMLS_CC, -1, "ldap link", NULL, 1, le_link);
if (ld == NULL) {
	ret = 0;
	goto cleanup;     /* "ld" is NULL !!!!!! */
}
...
cleanup: 
	// Restoring previous options
	php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);   /* set options on ld == NULL !!!!!!! */
...

Expected result:
----------------
No segfault ;)


cleanup: 

	if (ld!=NULL){
	// Restoring previous options
		php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);
	}


Actual result:
--------------
#0  0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:909
909		php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);
(gdb) bt full
#0  0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2)
    at ./php-5.2.10/ext/ldap/ldap.c:907
	link = (zval **) 0x2a997fd500
	base_dn = (zval **) 0x2a997fd508
	filter = (zval **) 0x2a997fd510
	attrs = (zval **) 0x2a997fd518
	attr = (zval **) 0x34
	attrsonly = (zval **) 0x2a997fd520
	sizelimit = (zval **) 0x2a997fd528
	timelimit = (zval **) 0x2a997fd530
	deref = (zval **) 0x2a98fb475d
	ldap_base_dn = 0x0
	ldap_filter = 0x2a9d41be10 "Array"
	ldap_attrs = (char **) 0x2a9d41bb88
	ld = (ldap_linkdata *) 0x0
	ldap_res = (LDAPMessage *) 0x8
	ldap_attrsonly = 0
	ldap_sizelimit = 0
	ldap_timelimit = 0
	ldap_deref = -1
	old_ldap_sizelimit = -1
	old_ldap_timelimit = -1
	old_ldap_deref = -1
	num_attribs = 0
	i = 0
	myargcount = 7
	ret = 0
#1  0x0000002a9a54655c in zif_ldap_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at ./php-5.2.10/ext/ldap/ldap.c:936
No locals.
#2  0x0000002a98fd4b6e in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#3  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#4  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#5  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#6  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#7  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#8  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#9  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#10 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#11 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#12 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#13 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#14 0x0000002a98fe317c in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#15 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#16 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#17 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#18 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#19 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#20 0x0000002a98fb5214 in zend_execute_scripts () from ./apache/modules/libphp5.so
No symbol table info available.
#21 0x0000002a98f723ad in php_execute_script () from ./apache/modules/libphp5.so
No symbol table info available.
#22 0x0000002a990443e6 in zend_get_zval_ptr_ptr () from ./apache/modules/libphp5.so
No symbol table info available.
#23 0x0000000000435c63 in ap_run_handler ()
No symbol table info available.
#24 0x0000000000436101 in ap_invoke_handler ()
No symbol table info available.
#25 0x0000000000442860 in ap_process_request ()
No symbol table info available.
#26 0x000000000043ffad in ap_filter_protocol ()
No symbol table info available.
#27 0x000000000043c653 in ap_run_process_connection ()
No symbol table info available.
#28 0x0000000000446970 in ap_graceful_stop_signalled ()
No symbol table info available.
#29 0x0000000000446b94 in ap_graceful_stop_signalled ()
No symbol table info available.
#30 0x0000000000446c2e in ap_graceful_stop_signalled ()
No symbol table info available.
#31 0x000000000044743d in ap_mpm_run ()
No symbol table info available.
#32 0x00000000004237e5 in main ()
No symbol table info available.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-31 18:51 UTC] jani@php.net

Who breaks should fix. :)

[2009-09-01 08:42 UTC] svn@php.net

Automatic comment from SVN on behalf of patrickallaert
Revision: http://svn.php.net/viewvc/?view=revision&revision=287936
Log: Fixing #49424 (#48696): segfault while using ldap_search(), ldap_read(),...

[2009-09-01 08:43 UTC] patrickallaert@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is same as #48696, however, it has been fixed for PHP 5.3/6, not for 5.2.

This is fixed right now.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC