php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69395 Segmentation fault, possibly in php-ldap
Submitted: 2015-04-07 15:15 UTC Modified: 2015-04-13 07:21 UTC
From: come dot bernigaud at opensides dot be Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.6.7 OS: Debian
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: come dot bernigaud at opensides dot be
New email:
PHP Version: OS:

 

 [2015-04-07 15:15 UTC] come dot bernigaud at opensides dot be
Description:
------------
Hello, running Debian Jessie which includes php 5.6.7+dfsg-1, I get a segfault while using FusionDirectory, the same code does not segfault on Debian Wheezy which has an older version of PHP.

Expected result:
----------------
No segfault

Actual result:
--------------
#0  0xb7d9ea77 in _int_malloc (av=av@entry=0xb7ed1420 <main_arena>, bytes=bytes@entry=4060) at malloc.c:3302
#1  0xb7da0b31 in __GI___libc_malloc (bytes=4060) at malloc.c:2891
#2  0xb7243971 in ber_memalloc_x () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#3  0xb7243aea in ber_memrealloc_x () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#4  0xb72420ad in ber_realloc () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#5  0xb72411f6 in ?? () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#6  0xb7241ccc in ber_printf () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#7  0xb6f4e66d in ldap_build_search_req () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#8  0xb6f4ec8f in ldap_search () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#9  0xb6f4ee39 in ldap_search_s () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#10 0xb5186bed in php_ldap_do_search (ht=-2144099600, return_value=0xfdc, scope=1, return_value_used=<optimized out>, this_ptr=<optimized out>, 
    return_value_ptr=<optimized out>) at /build/php5-truQYy/php5-5.6.7+dfsg/ext/ldap/ldap.c:798
#11 0xb6314340 in execute_internal (execute_data_ptr=0x83fff508, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#12 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff508, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#13 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#14 0xb629e267 in execute_ex (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#15 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#16 0xb6316164 in zend_execute (op_array=0x803a0bb8) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#17 0xb624f3db in zend_call_function (fci=0xbf802648, fci_cache=0xbf802634) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute_API.c:829
#18 0xb60dab04 in zim_reflection_method_invokeArgs (ht=2, return_value=0x8406a2a4, return_value_ptr=0x83fff434, this_ptr=0x8039fbb0, return_value_used=1)
    at /build/php5-truQYy/php5-5.6.7+dfsg/ext/reflection/php_reflection.c:3045
#19 0xb6314340 in execute_internal (execute_data_ptr=0x83fff440, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#20 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff440, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#21 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#22 0xb629e267 in execute_ex (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#23 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#24 0xb6316164 in zend_execute (op_array=0x803a7aac) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#25 0xb624f3db in zend_call_function (fci=0xbf802978, fci_cache=0xbf802964) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute_API.c:829
#26 0xb627793f in zend_call_method (object_pp=0xbf8029f8, obj_ce=<optimized out>, fn_proxy=0x803a7a2c, function_name=0xb66a3943 "__call", function_name_len=6, 
    retval_ptr_ptr=0xbf802a08, param_count=2, arg1=0x8406982c, arg2=0x84069d8c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_interfaces.c:97
#27 0xb6287a74 in zend_std_call_user_call (ht=3, return_value=0x8406a01c, return_value_ptr=0x83fff360, this_ptr=0x84069aec, return_value_used=0)
    at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_object_handlers.c:931
#28 0xb6314340 in execute_internal (execute_data_ptr=0x83fff36c, fci=0x0, return_value_used=0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#29 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff36c, fci=0x0, return_value_used=0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#30 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#31 0xb629e267 in execute_ex (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#32 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#33 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#34 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#35 0xb629e267 in execute_ex (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#36 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#37 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#38 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#39 0xb629e267 in execute_ex (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#40 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#41 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#42 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#43 0xb629e267 in execute_ex (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#44 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-07 17:38 UTC] aharvey@php.net
-Package: *General Issues +Package: LDAP related
 [2015-04-09 10:27 UTC] come dot bernigaud at opensides dot be
The problem seems linked to an infinite loop caused by ldap_list returning its search base in the results. This should not be possible as ldap_list is supposed to «Performs the search for a specified filter on the directory with the scope LDAP_SCOPE_ONELEVEL» and the search base is not in the ONELEVEL scope.

I checked with this minimal code.
<?php
$host = 'localhost';
$port = '389';
$binddn = 'cn=admin,dc=mcmic,dc=test';
$bindpw = 'pwd';

$cid = ldap_connect($host, $port);
ldap_set_option($cid, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($cid, $binddn, $bindpw);
$res = ldap_list($cid, 'ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test', '(objectClass=FAIbranch)', array('dn'));
print_r(ldap_error($cid)."\n");

echo "\nResults:\n";
print_r(ldap_count_entries($cid, $res)."\n");
$entry = ldap_first_entry($cid, $res);
if ($entry) {
  print_r(ldap_get_dn($cid, $entry));
}
I get:
Success

Results:
1
ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test

But with the same request by ldap search:
# ldapsearch -xLLL -s one -b ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test objectClass=FAIBranch
I get nothing.

The weird thing is I do not get the same behaviour with other bases.
 [2015-04-09 10:55 UTC] come dot bernigaud at opensides dot be
Using normal auth instead of -xLLL, I DO get the same result with ldapsearch, so the error may not be in PHP after all
 [2015-04-13 07:21 UTC] come dot bernigaud at opensides dot be
-Status: Open +Status: Closed
 [2015-04-13 07:21 UTC] come dot bernigaud at opensides dot be
The error was in openldap and not in PHP
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 17:01:29 2024 UTC