|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-03-24 09:50 UTC] hradtke@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Nov 04 12:00:01 2025 UTC |
Description: ------------ memcache_add_server currently only validates that the weight passed from the script is an integer greater than 0. However, if 0 is passed, the function will happily "add" a server while allocating 0 bytes of memory to store it. On subsequent calls to Memcache::get() or ::set(), this causes a segfeault when mmc_open() attempts to access the memcache struct at that address, which of course does not exist. Below code reproduces for the standard hash strategy, but the same happens with consistent. Most straightforward solution would seem to be just to change the weight check from "weight < 0" to "weight < 1". It also seems like some more strict constraints on this value (ie, a reasonable max) would be useful. Reproduce code: --------------- <?php ini_set('memcache.hash_strategy', 'standard'); $mmc = new Memcache; $mmc->addServer('server.local', 22311, true, 0); $mmc->set('TEST_KEY', 'test_value'); ?> Expected result: ---------------- Memcache::addServer throws an error on attempting to assign a weight of 0, or at least a warning (and then defaults to 1). Actual result: -------------- Segmentation fault on the set() call. Backtrace: #0 0x00002b48bfedc389 in mmc_open (mmc=0x676188e5, force_connect=0, error_string=0x0, errnum=0x0) at /mnt/ebs/memcache-2.2.5/memcache.c:1014 #1 0x00002b48bfee2309 in mmc_standard_find_server (s=0x1e170f30, key=0x7fffefbe57d0 "TEST_KEY", key_len=8) at /mnt/ebs/memcache-2.2.5/memcache_standard_hash.c:89 #2 0x00002b48bfedbb00 in mmc_pool_store (pool=0x1e172558, command=0x2b48bfee44ac "set", command_len=3, key=0x7fffefbe57d0 "TEST_KEY", key_len=8, flags=0, expire=0, value=0x1e172890 "test_value", value_len=10) at /mnt/ebs/memcache-2.2.5/memcache.c:809 #3 0x00002b48bfedf619 in php_mmc_store (ht=2, return_value=0x1e172258, return_value_ptr=0x0, this_ptr=0x1e170268, return_value_used=0, command=0x2b48bfee44ac "set", command_len=3) at /mnt/ebs/memcache-2.2.5/memcache.c:1820 #4 0x00002b48bfee0d2b in zif_memcache_set (ht=2, return_value=0x1e172258, return_value_ptr=0x0, this_ptr=0x1e170268, return_value_used=0) at /mnt/ebs/memcache-2.2.5/memcache.c:2318 #5 0x00000000007aa11b in zend_do_fcall_common_helper_SPEC ( execute_data=0x7fffefbe5c30) at /mnt/ebs/php-5.2.9/Zend/zend_vm_execute.h:200 #6 0x00000000007aafed in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER ( execute_data=0x7fffefbe5c30) at /mnt/ebs/php-5.2.9/Zend/zend_vm_execute.h:322 #7 0x00000000007a9b68 in execute (op_array=0x1e170fa8) at /mnt/ebs/php-5.2.9/Zend/zend_vm_execute.h:92 #8 0x000000000077f341 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /mnt/ebs/php-5.2.9/Zend/zend.c:1134 #9 0x000000000071e5fc in php_execute_script (primary_file=0x7fffefbe82a0) at /mnt/ebs/php-5.2.9/main/main.c:2023 #10 0x000000000080ae8d in main (argc=2, argv=0x7fffefbe84f8) at /mnt/ebs/php-5.2.9/sapi/cli/php_cli.c:1133