PHP :: Bug #50540 :: Segmentation fault while running ldap_next

Bug #50540	Segmentation fault while running ldap_next_reference
Submitted:	2009-12-21 09:29 UTC	Modified:	2009-12-21 20:40 UTC
From:	sriram dot natarajan at gmail dot com	Assigned:	srinatar (profile)
Status:	Closed	Package:	LDAP related
PHP Version:	5.2SVN-2009-12-21 (snap)	OS:	RHEL5.2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sriram dot natarajan at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-12-21 09:29 UTC] sriram dot natarajan at gmail dot com

Description:
------------
found segmentation fault on free with invalid pointer while running 
php ldap unit test cases on Redhat enterprise linux 5.2 (64-bit)

PASS ldap_next_attribute() - Testing ldap_next_attribute() that should 
fail [ext/ldap/tests/ldap_next_attribute_error.phpt]
PASS ldap_next_entry() - Basic ldap_first_entry test 
[ext/ldap/tests/ldap_next_entry_basic.phpt]
PASS ldap_next_entry() - Testing ldap_next_entry() that should fail 
[ext/ldap/tests/ldap_next_entry_error.phpt]
*** glibc detected *** /export/home/sriramn/php/sapi/cli/php: free(): 
invalid pointer: 0x00007fffe402f898 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3660e71634]
/lib64/libc.so.6(cfree+0x8c)[0x3660e74c5c]
/export/home/sriramn/php/sapi/cli/php[0x4e0ba2]
/export/home/sriramn/php/sapi/cli/php(list_entry_destructor+0x85)[0x6d
e62a]
/export/home/sriramn/php/sapi/cli/php(zend_hash_del_key_or_index+0x1fd
)[0x6dbe0b]
/export/home/sriramn/php/sapi/cli/php(_zend_list_delete+0x57)[0x6de116
]
/export/home/sriramn/php/sapi/cli/php(_zval_dtor_func+0xa3)[0x6cd79f]
/export/home/sriramn/php/sapi/cli/php[0x6bf1d8]
/export/home/sriramn/php/sapi/cli/php(_zval_ptr_dtor+0x36)[0x6bf3e0]
/export/home/sriramn/php/sapi/cli/php[0x6dc21b]
/export/home/sriramn/php/sapi/cli/php(zend_hash_graceful_reverse_destr
oy+0x27)[0x6dc30d]
/export/home/sriramn/php/sapi/cli/php(shutdown_executor+0x4d)[0x6beedc
]
/export/home/sriramn/php/sapi/cli/php(zend_deactivate+0x5f)[0x6cee43]
/export/home/sriramn/php/sapi/cli/php(php_request_shutdown+0x203)[0x67
c99d]
/export/home/sriramn/php/sapi/cli/php(main+0x1742)[0x74d7ef]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3660e1d8b4]
/export/home/sriramn/php/sapi/cli/php(realloc+0x409)[0x4467a9]

note: i haven't tried this on 32-bit. here, php is compiled in 32-bit.


Reproduce code:
---------------
- enable ldap server from RHEL 5.2 (64-bit)
- enable ldap server to run as root with secret as rootpw
- running php ldap unit test case causes segv.

Expected result:
----------------
- test pass successfully

Actual result:
--------------
- segv seen while running ldap_next_entry_*phpt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-12-21 09:33 UTC] srinatar@php.net

analyzing the core dump, got some more info..

#0  0x0000003662e0675d in ber_free () from /usr/lib64/liblber-2.3.so.0
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
#3  0x00000000006dbe0b in zend_hash_del_key_or_index (ht=0xaa99a8, 
arKey=0x0, nKeyLength=0, h=7, flag=1)
    at /export/home/sriramn/php/Zend/zend_hash.c:497
#4  0x00000000006de116 in _zend_list_delete (id=7) at 
/export/home/sriramn/php/Zend/zend_list.c:58
#5  0x00000000006cd79f in _zval_dtor_func (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.c:59
#6  0x00000000006bf1d8 in _zval_dtor (zvalue=0x94873e0) at 
/export/home/sriramn/php/Zend/zend_variables.h:35
#7  0x00000000006bf3e0 in _zval_ptr_dtor (zval_ptr=0x9488ac0) at 
/export/home/sriramn/php/Zend/zend_execute_API.c:414
#8  0x00000000006dc21b in zend_hash_apply_deleter (ht=0xaa98a8, 
p=0x9488aa8) at /export/home/sriramn/php/Zend/zend_hash.c:611
#9  0x00000000006dc30d in zend_hash_graceful_reverse_destroy 
(ht=0xaa98a8) at /export/home/sriramn/php/Zend/zend_hash.c:646
#10 0x00000000006beedc in shutdown_executor () at 
/export/home/sriramn/php/Zend/zend_execute_API.c:239
#11 0x00000000006cee43 in zend_deactivate () at 
/export/home/sriramn/php/Zend/zend.c:860
#12 0x000000000067c99d in php_request_shutdown (dummy=0x0) at 
/export/home/sriramn/php/main/main.c:1504
#13 0x000000000074d7ef in main (argc=57, argv=0x7fff248479c8) at 
/export/home/sriramn/php/sapi/cli/php_cli.c:1346

#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) p *entry
$10 = {data = 0x94adf20, ber = 0x3d63642c6e69616d, id = 6}
(gdb) up
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
/export/home/sriramn/php/Zend/zend_list.c:184
184                                             ld->list_dtor_ex(le 
TSRMLS_CC);
(gdb) ptype ld
type = struct _zend_rsrc_list_dtors_entry {
    void (*list_dtor)(void *);
    void (*plist_dtor)(void *);
    rsrc_dtor_func_t list_dtor_ex;
    rsrc_dtor_func_t plist_dtor_ex;
    char *type_name;
    int module_number;
    int resource_id;
    unsigned char type;
} *   
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
/export/home/sriramn/php/ext/ldap/ldap.c:223
223                     ber_free(entry->ber, 0);
(gdb) ptype entry
type = struct {
    LDAPMessage *data;
    BerElement *ber;
    int id;
} *

[2009-12-21 11:29 UTC] jani@php.net

Exactly what openldap version have you compiled PHP with?

[2009-12-21 18:15 UTC] sriram dot natarajan at gmail dot com

sriramn@memcache]'php'>rpm -qa | grep openldap
openldap-devel-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
openldap-servers-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3
[sriramn2@memcache]'php-5.2.12'>

ldap version is the default version that is shipped within RHEL 5.2.

[2009-12-21 19:16 UTC] srinatar@php.net

changed the synopsis of the bug from Segmentation fault with 
"free:invalid pointer while running ldap unit tests

to 
core dump while running ldap_next_reference test cases.

i am testing a patch that addresses this issue.

[2009-12-21 20:39 UTC] svn@php.net

Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&revision=292437
Log: Fixed bug #50540 (Crash within ldap_first_reference function)

[2009-12-21 20:40 UTC] srinatar@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC