php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72150 Segfault when passing ENV vars to ssh2_exec
Submitted: 2016-05-04 10:10 UTC Modified: 2016-05-30 08:12 UTC
Votes:2
Avg. Score:4.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: alessandro dot lai85 at gmail dot com Assigned: seander (profile)
Status: Closed Package: ssh2 (PECL)
PHP Version: 7.0.6 OS: php:7.0.6-fpm official DockerHub
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alessandro dot lai85 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-04 10:10 UTC] alessandro dot lai85 at gmail dot com 
Description:
------------
I've discovered a bug in the ssh2_exec function, due to using an OO wrapping library (https://github.com/Herzult/php-ssh). The library has obviously default values for parameters that are passed to the SSH2 functions, so it passes an empty array to the $env parameter when nothing is passed by the user.

I've been able to reproduce the bug with 3 lines of code, attached here in the test script.

Uncovered using:
 - PHP 7.0.6
 - ssh2 extension installed using master blob from Gitlab (https://github.com/php/pecl-networking-ssh2), using latest commit (aa1739a, Mar 25th)
 - php:7.0.6-fpm official DockerHub derived dockerfile


Test script:
---------------
<?php
        $connection = ssh2_connect('somehost.example.com', 22);
        ssh2_auth_password($connection, 'user', 'password');

        ssh2_exec($connection, 'pwd', null, []);


Expected result:
----------------
Normal execution, exit code 0

Actual result:
--------------
Segmentation fault

Patches

ssh2-env.patch (last revision 2016-05-06 16:17 UTC by krakjoe@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 10:17 UTC] alessandro dot lai85 at gmail dot com
-Summary: Segfault when passing an empty array of ENV vars to ssh2_exec +Summary: Segfault when passing ENV vars to ssh2_exec
 [2016-05-04 10:17 UTC] alessandro dot lai85 at gmail dot com 
UPDATE: the segfault happens even with non-empty arrays! This piece of code segfaults too:

Test script (2):
---------------
<?php
        $connection = ssh2_connect('somehost.example.com', 22);
        ssh2_auth_password($connection, 'user', 'password');

        ssh2_exec($connection, 'pwd', null, ['test' => true]);
 [2016-05-06 16:17 UTC] krakjoe@php.net 
The following patch has been added/updated:

Patch Name: ssh2-env.patch
Revision:   1462551470
URL:        https://bugs.php.net/patch-display.php?bug=72150&patch=ssh2-env.patch&revision=1462551470
 [2016-05-06 16:18 UTC] krakjoe@php.net
-Assigned To: +Assigned To: seander
 [2016-05-06 16:18 UTC] krakjoe@php.net 
Not able to commit to that repo ... assigning ...
 [2016-05-10 03:05 UTC] seander@php.net 
Hey Joe,

Unfortunately I don't have commit access either, if you open a PR https://github.com/php/pecl-networking-ssh2 it should get merged pretty quickly  langemeijer does a good job of watching them.

thanks
 [2016-05-10 09:05 UTC] alessandro dot lai85 at gmail dot com 
I've created a PR myself, thanks Joe!
https://github.com/php/pecl-networking-ssh2/pull/13
 [2016-05-30 08:12 UTC] krakjoe@php.net
-Status: Assigned +Status: Closed
 [2016-05-30 08:12 UTC] krakjoe@php.net 
Turns out, I can commit there ... I'm just terrible at git ...

Fixed in master.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 04:01:28 2024 UTC