|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2021-01-26 16:12 UTC] jgalindo at datto dot com
Description:
------------
PHP will crash with a SIGSEGV whenever an XML is provided to the SoapClient query() function without an existing field.
Version:
PHP 7.4.11 (cli) (built: Oct 6 2020 10:34:39) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.11, Copyright (c), by Zend Technologies
Notes:
I did not compile with symbols, but it looks like the issue arises in node_is_equal_ex() when checking the child node name. I tested this using php and python3.
Reproduce steps:
1. Copy xxe.xml to current directory
2. Start python server: python3 -m http.server 80
3. Run crash.php: php crash.php
php crash.php
Test script:
---------------
crash.php:
$credential = array("username", "password");
$soap = new SoapClient("http://localhost/xxe.xml", $credential);
$query = $soap->query(array('sXML' => 'something'));
xxe.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<soap:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/">
<![CDATA[<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://localhost:8080/VULNERABLE"> %xxe;]><foo>l</foo>]]>
</soap:definitions>
Expected result:
----------------
The query would fail gracefully.
Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
__strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:209
209 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt full
#0 __strcmp_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:209
No locals.
#1 0x00000000005c9f8a in node_is_equal_ex ()
No symbol table info available.
#2 0x00000000005c25e3 in ?? ()
No symbol table info available.
#3 0x00000000005c2d08 in ?? ()
No symbol table info available.
#4 0x00000000005c4601 in get_sdl ()
No symbol table info available.
#5 0x000000000058ef58 in zim_SoapClient_SoapClient ()
No symbol table info available.
#6 0x00000000006d5f9b in dtrace_execute_internal ()
No symbol table info available.
#7 0x00007ffff5528476 in xdebug_execute_internal (current_execute_data=0x7ffff7fa7660, fci=0x0, return_value_used=0)
at /build/buildd/xdebug-2.2.3/xdebug-2.2.3/xdebug.c:1551
edata = <optimized out>
fse = 0x1213880
cur_opcode = <optimized out>
do_return = 0
function_nr = 1
restore_error_handler_situation = 1
tmp_error_cb = <optimized out>
#8 0x0000000000795390 in ?? ()
No symbol table info available.
#9 0x000000000070fcc8 in execute_ex ()
No symbol table info available.
#10 0x00000000006d5e99 in dtrace_execute_ex ()
No symbol table info available.
#11 0x00007ffff5527a7c in xdebug_execute_ex (execute_data=0x7ffff7fa7660) at /build/buildd/xdebug-2.2.3/xdebug-2.2.3/xdebug.c:1437
op_array = 0x7ffff7fdbc58
edata = <optimized out>
dummy = 0xecd608 <compiler_globals+392>
fse = 0x1213720
xfse = <optimized out>
magic_cookie = <optimized out>
do_return = 0
function_nr = 0
le = <optimized out>
eval_id = <optimized out>
clear = 1
return_val = 0x0
#12 0x00000000006e7520 in zend_execute_scripts ()
No symbol table info available.
#13 0x0000000000687d65 in php_execute_script ()
No symbol table info available.
#14 0x000000000079736e in ?? ()
No symbol table info available.
#15 0x00000000004617c0 in main ()
No symbol table info available.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
I can confirm the null pointer dereference. An apparent fix would be: ext/soap/php_xml.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/soap/php_xml.c b/ext/soap/php_xml.c index b606030179..df376d6027 100644 --- a/ext/soap/php_xml.c +++ b/ext/soap/php_xml.c @@ -215,7 +215,7 @@ int attr_is_equal_ex(xmlAttrPtr node, char *name, char *ns) int node_is_equal_ex(xmlNodePtr node, char *name, char *ns) { - if (name == NULL || strcmp((char*)node->name, name) == 0) { + if (name == NULL || (node->name && strcmp((char*)node->name, name) == 0)) { if (ns) { xmlNsPtr nsPtr = node_find_ns(node); if (nsPtr) { I don't know enough about SOAP to assess whether this is the proper fix, though.