PHP :: Bug #65818 :: Segfault with built-in webserver and chunked transfer encoding

Bug #65818	Segfault with built-in webserver and chunked transfer encoding
Submitted:	2013-10-02 18:54 UTC	Modified:	2013-10-02 19:16 UTC
From:	ysangkok at gmail dot com	Assigned:
Status:	Closed	Package:	Built-in web server
PHP Version:	5.5.4	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ysangkok at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2013-10-02 18:54 UTC] ysangkok at gmail dot com

Description:
------------
Chunked transfer encoding crashes the built-in webserver.

Test script:
---------------
#!/bin/bash
php -S 127.0.0.1:8801
sleep 2
echo -ne "POST /c.php HTTP/1.0\r
Transfer-Encoding: chunked\r
\r
3b\r
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r
49\r
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\r
0" | nc 127.0.0.1 8801

Expected result:
----------------
No segfault

Actual result:
--------------
(gdb) run -S 127.0.0.1:8801
Starting program: /usr/bin/php5 -S 127.0.0.1:8801
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
PHP 5.5.4-1+debphp.org~raring+1 Development Server started at Wed Oct  2 20:52:35 2013
Listening on http://127.0.0.1:8801
Document root is /var/www
Press Ctrl-C to quit.
[Wed Oct  2 20:52:37 2013] 127.0.0.1:42191 Invalid request (Unexpected EOF)
*** Error in `/usr/bin/php5': free(): invalid next size (fast): 0x089f8658 ***

Program received signal SIGSEGV, Segmentation fault.
0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081
4081	malloc.c: No such file or directory.
(gdb) bt
#0  0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081
#1  0xb783db73 in _int_malloc (av=av@entry=0xb7975440 <main_arena>, bytes=bytes@entry=630) at malloc.c:3358
#2  0xb7840682 in __libc_calloc (n=630, elem_size=1) at malloc.c:3169
#3  0xb7fe8931 in _dl_new_object (realname=realname@entry=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", libname=libname@entry=0xb792e605 "libgcc_s.so.1", 
    type=type@entry=2, loader=loader@entry=0x0, mode=mode@entry=-1879048191, nsid=nsid@entry=0) at dl-object.c:76
#4  0xb7fe4520 in _dl_map_object_from_fd (name=name@entry=0xb792e605 "libgcc_s.so.1", fd=10, fbp=fbp@entry=0xbfffd0ec, 
    realname=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", loader=loader@entry=0x0, l_type=l_type@entry=2, mode=mode@entry=-1879048191, 
    stack_endp=stack_endp@entry=0xbfffd0e8, nsid=nsid@entry=0) at dl-load.c:1053
#5  0xb7fe6449 in _dl_map_object (loader=0x0, loader@entry=0xb7979000, name=name@entry=0xb792e605 "libgcc_s.so.1", type=type@entry=2, 
    trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048191, nsid=0) at dl-load.c:2606
#6  0xb7ff1075 in dl_open_worker (a=a@entry=0xbfffd48c) at dl-open.c:228
#7  0xb7fed05e in _dl_catch_error (objname=objname@entry=0xbfffd484, errstring=errstring@entry=0xbfffd488, mallocedp=mallocedp@entry=0xbfffd483, 
    operate=operate@entry=0xb7ff0f40 <dl_open_worker>, args=args@entry=0xbfffd48c) at dl-error.c:177
#8  0xb7ff0af4 in _dl_open (file=0xb792e605 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0xb78ccc38 <init+40>, nsid=-2, argc=3, argv=0xbffff2e4, 
    env=0x8897008) at dl-open.c:656
#9  0xb78f0711 in do_dlopen (ptr=ptr@entry=0xbfffd630) at dl-libc.c:87
#10 0xb7fed05e in _dl_catch_error (objname=0xbfffd608, errstring=0xbfffd60c, mallocedp=0xbfffd607, operate=0xb78f06b0 <do_dlopen>, args=0xbfffd630)
    at dl-error.c:177
#11 0xb78f0807 in dlerror_run (operate=operate@entry=0xb78f06b0 <do_dlopen>, args=args@entry=0xbfffd630) at dl-libc.c:46
#12 0xb78f0897 in __GI___libc_dlopen_mode (name=name@entry=0xb792e605 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#13 0xb78ccc38 in init () at ../sysdeps/i386/backtrace.c:43
#14 0xb77b6dae in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/i386/pthread_once.S:120
#15 0xb78ccea5 in __GI___backtrace (array=array@entry=0xbfffd880, size=size@entry=64) at ../sysdeps/i386/backtrace.c:120
#16 0xb7831ad1 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0xb7934530 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:178
#17 0xb783c7e2 in malloc_printerr (action=<optimized out>, str=<optimized out>, ptr=0x89f8658) at malloc.c:4902
#18 0xb783d530 in _int_free (av=0xb7975440 <main_arena>, p=0x89f8650, have_lock=0) at malloc.c:3758
#19 0x08415c04 in php_cli_server_request_dtor (req=0x89f8484) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1328
#20 php_cli_server_client_dtor (client=0x89f8440) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1768
#21 php_cli_server_client_dtor_wrapper (p=0x89f85a4) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2109
#22 0x08366a98 in zend_hash_del_key_or_index (ht=ht@entry=0x88929ac <server+556>, arKey=arKey@entry=0x0, nKeyLength=nKeyLength@entry=0, h=<optimized out>, 
    flag=flag@entry=1) at /build/buildd/php5-5.5.4+dfsg/Zend/zend_hash.c:532
#23 0x08415cc8 in php_cli_server_close_connection (server=server@entry=0x8892780 <server>, client=0x89f8440)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1785
#24 0x0841909e in php_cli_server_recv_event_read_request (server=0x8892780 <server>, client=0x89f8440)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2234
#25 0x08419590 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0xbfffe064, fd=fd@entry=9, event=event@entry=1)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2331
#26 0x08419f3c in php_cli_server_poller_iter_on_active (opaque=0xbfffe064, poller=<optimized out>, callback=<optimized out>)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:838
#27 php_cli_server_do_event_for_each_fd (server=<optimized out>, rhandler=<optimized out>, whandler=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2352
#28 php_cli_server_do_event_loop (server=<optimized out>) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2362
#29 do_cli_server (argc=argc@entry=3, argv=argv@entry=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2463
#30 0x080990fb in main (argc=3, argv=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli.c:1381

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-02 18:56 UTC] ysangkok at gmail dot com

The second line of the test script needs an ampersand at the end!

[2013-10-02 18:57 UTC] aharvey@php.net

-Package: Unknown/Other Function +Package: Built-in web server

[2013-10-02 19:16 UTC] aharvey@php.net

-Status: Open +Status: Verified

[2013-10-02 19:16 UTC] aharvey@php.net

Verified on current 5.4, 5.5 and master builds.

[2013-10-05 15:53 UTC] felipe@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)

[2013-10-05 15:53 UTC] felipe@php.net

-Status: Verified +Status: Closed

[2013-10-07 11:51 UTC] ab@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)

[2014-10-07 23:28 UTC] stas@php.net

Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC