PHP :: Sec Bug #60279 :: Null pointer dereference in stream_socket_enable

Sec Bug #60279	Null pointer dereference in stream_socket_enable_crypto
Submitted:	2011-11-12 10:33 UTC	Modified:	2011-11-12 15:17 UTC
From:	shm@php.net	Assigned:	pajoye (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.4.0RC1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	shm@php.net
New email:
PHP Version:		OS:

New Comment:

[2011-11-12 10:33 UTC] shm@php.net

Description:
------------
NPD in the stream_socket_enable_crypto function in case when supplied socket SSL session is not initialized:

<?php
$ref = "";
$fst = stream_socket_server("",$ref,$ref,0);
$snd = stream_socket_server("",$ref,$ref,0);
stream_socket_enable_crypto($fst,0,0,$snd);
?>
^D
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80173d1c0 (LWP 100176)]
0x0000000802af69b0 in SSL_get_session () from /usr/lib/libssl.so.6
(gdb) bt
#0  0x0000000802af69b0 in SSL_get_session () from /usr/lib/libssl.so.6
#1  0x0000000802afa311 in SSL_copy_session_id () from /usr/lib/libssl.so.6
#2  0x000000080aa2e8d7 in php_openssl_sockop_set_option () from /usr/local/lib/php/20090626/openssl.so
#3  0x000000000050e879 in _php_stream_set_option ()
#4  0x000000000051958e in php_stream_xport_crypto_setup ()
#5  0x00000000004dd728 in zif_stream_socket_enable_crypto ()
#6  0x000000000059a157 in zend_do_fcall_common_helper_SPEC ()
#7  0x0000000000570d23 in execute ()
#8  0x000000000054c145 in zend_execute_scripts ()
#9  0x00000000004fa83c in php_execute_script ()
#10 0x00000000005d489b in main ()
#11 0x00000000004170fe in _start ()


Test script:
---------------
<?php
$ref = "";
$fst = stream_socket_server("",$ref,$ref,0);
$snd = stream_socket_server("",$ref,$ref,0);
stream_socket_enable_crypto($fst,0,0,$snd);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-11-12 15:16 UTC] pajoye@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: pajoye

[2011-11-12 15:16 UTC] pajoye@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2011-11-12 15:17 UTC] pajoye@php.net

http://svn.php.net/viewvc?view=revision&revision=319095

and 

http://svn.php.net/viewvc?view=revision&revision=318987

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Apr 07 16:01:28 2025 UTC