|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-11-11 09:00 UTC] php at bof dot de
Description:
------------
Using memcache as session handler. Works with a single backend server, fails as indicated below when using two backend servers.
This has been working forever, and is in production using 5.6.27 built the same way as 5.6.28 now. It fails with 5.6.28 on two separate build + test environments (openSUSE 11.4 + 13.1) using different GCC versions and external library base, so it is not build environment related.
Test script:
---------------
?php
# ^session CLI ini variables before call:
#
# session.save_handler = files
# session.save_path = "/var/lib/php5"
# session.use_cookies = 1
# session.use_only_cookies = 1
# session.name = PHPSESSID
# session.auto_start = 0
# session.cookie_lifetime = 0
# session.cookie_path = /
# session.cookie_domain =
# session.cookie_httponly = 1
# session.serialize_handler = php
# session.gc_probability = 1
# session.gc_divisor = 1000
# session.gc_maxlifetime = 1440
# session.bug_compat_42 = Off
# session.bug_compat_warn = Off
# session.referer_check =
# session.entropy_length = 32
# session.entropy_file = /dev/urandom
# session.cache_limiter = nocache
# session.cache_expire = 180
# session.use_trans_sid = 0
# session.hash_function = 3
# session.hash_bits_per_character = 5
# these three just for testing, to suppress headers-sent warning
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies', '0');
ini_set('session.use_trans_sid', '1');
function test() {
session_name('SID_bof');
session_id('abcdef');
if (!session_start()) {
var_dump('session_start failed');
exit(1);
}
var_dump($_SESSION);
$_SESSION['bof.test'] = 42;
session_write_close();
}
ini_set('session.save_handler', 'memcache');
ini_set('session.save_path', 'tcp://192.168.0.2:11211');
test();
ini_set('session.save_path', 'tcp://192.168.0.3:11211');
test();
ini_set('session.save_path', 'tcp://192.168.0.2:11211, tcp://192.168.0.3:11211');
test();
?>
Expected result:
----------------
# on second run, otherwise these are empty arrays first
array(1) {
'bof.test' =>
int(42)
}
array(1) {
'bof.test' =>
int(42)
}
array(1) {
'bof.test' =>
int(42)
}
Actual result:
--------------
# on second run, otherwise these are empty arrays
array(1) {
'bof.test' =>
int(42)
}
array(1) {
'bof.test' =>
int(42)
}
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 4294967160 bytes) in /tmp/badsess.php on line 37
Call Stack:
0.0001 234880 1. {main}() /tmp/badsess.php:0
0.0028 253808 2. test() /tmp/badsess.php:52
0.0028 253856 3. session_start() /tmp/badsess.php:37
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 22:00:02 2025 UTC |
Reproducing with my test script and an --enable-debug build, gives some hint: Fatal error: Allowed memory size of 134217728 bytes exhausted at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:343 (tried to allocate 4294967291 bytes) in /tmp/badsess.php on line 37 url.c:343 is php_url_parse_ex() line ret->path = estrndup(s, (ue-s)); Trying to run under gdb with a breakpoint set there, gives the error in a different place: Fatal error: Allowed memory size of 134217728 bytes exhausted at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:339 (tried to allocate 4294965800 bytes) in /tmp/badsess.php on line 37 That url.c:339 line is: ret->fragment = estrndup(p, (ue-p)); Also setting a breakpoint there. Result: Breakpoint 2, php_url_parse_ex ( str=0x7ffff7fcc830 "tcp://192.168.8.57:11211, tcp://192.168.8.58:11211", length=24) at /usr/src/phb/build/dbg-5.6.28/php-src/ext/standard/url.c:339 339 ret->fragment = estrndup(p, (ue-p)); The plot thickens... :) (gdb) print p $1 = 0x7ffff7fcce21 "\001" (gdb) print ue $2 = 0x7ffff7fcc848 ", tcp://192.168.8.58:11211" (gdb) print ue-p $3 = -1497 That "p" is "(p = memchr(s, '#', (ue - s)))" from line 329. (gdb) print s $4 = 0x7ffff7fcc84e "//192.168.8.58:11211" (gdb) print ue-s $5 = -6 So we have a memchr() call already with negative length (probably undefined behaviour). Here is the change between 5.6.27 and 5.6.28: --- ../release-5.6.27/php-src/ext/standard/url.c 2016-10-20 17:59:31.906609491 +0200 +++ ./php-src/ext/standard/url.c 2016-11-14 19:01:25.283278279 +0100 @@ -217,28 +217,7 @@ goto nohost; } - e = ue; - - if (!(p = memchr(s, '/', (ue - s)))) { - char *query, *fragment; - - query = memchr(s, '?', (ue - s)); - fragment = memchr(s, '#', (ue - s)); - - if (query && fragment) { - if (query > fragment) { - e = fragment; - } else { - e = query; - } - } else if (query) { - e = query; - } else if (fragment) { - e = fragment; - } - } else { - e = p; - } + e = s + strcspn(s, "/?#"); /* check for login and password */ if ((p = zend_memrchr(s, '@', (e-s)))) { Given the input string "tcp://192.168.8.57:11211, tcp://192.168.8.58:11211" and "s" already past the initial "tcp://", the old code would have found the '/', then wouldn't have found '?' or '#' - AND THUS WOULD HAVE LEFT "e" alone. After that change, "e" will be at the first '/' of the SECOND "argument", so that the code further effectively tries to parse "192.168.8.57:11211, tcp:" and then goes astray....The following patch fixes the issue for the memcache extension, by making a temporary copy of the single server parts of save_path before calling php_url_parse_ex: --- ../release-5.6.28//memcache/memcache_session.c 2016-11-10 16:27:45.963096097 +0100 +++ ./memcache/memcache_session.c 2016-11-15 16:07:09.186618020 +0100 @@ -90,7 +90,10 @@ efree(path); } else { - url = php_url_parse_ex(save_path+i, j-i); + int len = j-i; + char *path = estrndup(save_path+i, len); + url = php_url_parse_ex(path, strlen(path)); + efree(path); } if (!url) {