PHP :: Bug #65936 :: dangling context pointer causes crash

Bug #65936	dangling context pointer causes crash
Submitted:	2013-10-21 10:52 UTC	Modified:	2013-10-21 10:53 UTC
From:	tony2001@php.net	Assigned:	tony2001 (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.5Git-2013-10-21 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	tony2001@php.net
New email:
PHP Version:		OS:

New Comment:

[2013-10-21 10:52 UTC] tony2001@php.net

Description:
------------
Pointer to stream context is not cleared in persistent stream struct, which results in a crash when re-using that stream.

Test script:
---------------
<?php

function connect($host, $port, $timeout = 1) {
        $conn_str = "tcp://{$host}:{$port}";
            $opts = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT | STREAM_CLIENT_PERSISTENT;
            $sock = stream_socket_client($conn_str, $errno, $errstr, $timeout, $opts);
                return $sock;
}

$sock = connect("google.com", 80);

$req = "GET / HTTP/1.0\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n";

$len = fwrite($sock, $req);

$data = stream_get_contents($sock);

echo $data;

Expected result:
----------------
No crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000764140 in php_stream_context_get_option (context=0x7fd70dd833f8, wrappername=0xbe6fae "socket", optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at /local/git/php-src/main/streams/streams.c:2219
2219            if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options), (char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) {
(gdb) bt
#0  0x0000000000764140 in php_stream_context_get_option (context=0x7fd70dd833f8, wrappername=0xbe6fae "socket", optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at /local/git/php-src/main/streams/streams.c:2219
#1  0x0000000000773725 in php_tcp_sockop_connect (stream=0x10e2840, sock=0x10e08b0, xparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:656
#2  0x0000000000773bc4 in php_tcp_sockop_set_option (stream=0x10e2840, option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:757
#3  0x0000000000761a76 in _php_stream_set_option (stream=0x10e2840, option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/streams.c:1353
#4  0x000000000077196e in php_stream_xport_connect (stream=0x10e2840, name=0x7fd70dd7fc9e "google.com:80", namelen=13, asynchronous=1, 
    timeout=0x7fff2c7b19e0, error_text=0x7fff2c7b18e0, error_code=0x7fff2c7b19d4) at /local/git/php-src/main/streams/transports.c:243
#5  0x00000000007713fb in _php_stream_xport_create (name=0x7fd70dd7fc9e "google.com:80", namelen=13, options=8, flags=18, 
    persistent_id=0x7fd70dd82da8 "stream_socket_client__tcp://google.com:80", timeout=0x7fff2c7b19e0, context=0x7fd70dd833f8, error_string=0x7fff2c7b19c0, 
    error_code=0x7fff2c7b19d4, __php_stream_call_depth=0, __zend_filename=0xbdf140 "/local/git/php-src/ext/standard/streamsfuncs.c", __zend_lineno=134, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/git/php-src/main/streams/transports.c:143
#6  0x0000000000726d3b in zif_stream_socket_client (ht=5, return_value=0x7fd70dd81690, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /local/git/php-src/ext/standard/streamsfuncs.c:131
#7  0x0000000000816f6e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:550
#8  0x000000000081b868 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:2329
#9  0x000000000081665f in execute_ex (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:363
#10 0x00000000008166e7 in zend_execute (op_array=0x7fd70dd7fd78) at /local/git/php-src/Zend/zend_vm_execute.h:388
#11 0x00000000007d8554 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/git/php-src/Zend/zend.c:1320
#12 0x00000000007452fe in php_execute_script (primary_file=0x7fff2c7b61a0) at /local/git/php-src/main/main.c:2489
#13 0x0000000000892bcf in main (argc=1, argv=0x7fff2c7b63c8) at /local/git/php-src/sapi/fpm/fpm/fpm_main.c:1933

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-21 10:53 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: tony2001

[2013-10-21 11:10 UTC] tony2001@php.net

Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b636c03426193ecf0b7e166126a14b70ce8185e9
Log: fix bug #65936 (dangling context pointer causes crash)

[2013-10-21 11:10 UTC] tony2001@php.net

-Status: Assigned +Status: Closed

[2013-11-17 09:30 UTC] laruence@php.net

Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b636c03426193ecf0b7e166126a14b70ce8185e9
Log: fix bug #65936 (dangling context pointer causes crash)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC