php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17240 curl crash with CURLOPT_POSTFIELDS set to ""
Submitted: 2002-05-15 05:49 UTC Modified: 2002-05-21 15:47 UTC
From: chris-php at bolt dot cx Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.2.1 OS: Linux 2.4.19-pre4 (Suse)
Private report: No CVE-ID: None
 [2002-05-15 05:49 UTC] chris-php at bolt dot cx
This script will crash php:

<?
$cs = curl_init();
curl_setopt($cs, CURLOPT_VERBOSE, 1);
curl_setopt($cs, CURLOPT_URL, "http://www.google.com/");
curl_setopt($cs, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cs, CURLOPT_POST, 1);
curl_setopt($cs, CURLOPT_POSTFIELDS, "");
echo(curl_exec($cs));
curl_close($cs);
?>

$ php -q curltest.php
* About to connect() to www.google.com:80
* Connected to www.google.com (216.239.51.101) port 80
Segmentation fault (core dumped)

$ gdb /usr/local/bin/php ./core
GNU gdb 5.2
...
Loaded symbols for /lib/libnss_dns.so.2
#0  0x40057766 in curl_mvaprintf (format=0x400ca692 "%s", ap_save=0xbfffe1fc)
    at mprintf.c:1065
1065      info.buffer[info.len] = 0; /* we terminate this with a zero byte */
(gdb) bt
#0  0x40057766 in curl_mvaprintf (format=0x400ca692 "%s", ap_save=0xbfffe1fc)
    at mprintf.c:1065
#1  0x4004ad4a in add_bufferf (in=0x81dd968, fmt=0x400ca692 "%s") at http.c:180
#2  0x4004c33e in Curl_http (conn=0x81dd2c0) at http.c:942
#3  0x40052906 in Curl_do (connp=0xbfffe3e4) at url.c:2428
#4  0x4005b676 in Curl_perform (data=0x81e2928) at transfer.c:1139
#5  0x4005babf in curl_easy_perform (curl=0x81e2928) at easy.c:245
#6  0x080f10a3 in zif_curl_exec (ht=1, return_value=0x81e2024, this_ptr=0x0,
    return_value_used=1) at curl.c:876
#7  0x0813f6fa in execute (op_array=0x81dd1b4) at ./zend_execute.c:1598
#8  0x080cde49 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:810
#9  0x08066fb1 in php_execute_script (primary_file=0xbffffa44) at main.c:1381
#10 0x080611b1 in main (argc=3, argv=0xbffffad4) at cgi_main.c:778
#11 0x4018bc6f in __libc_start_main () from /lib/libc.so.6
(gdb)

$ php -v
4.2.1
$ curl --version
curl 7.9.7 (i686-pc-linux-gnu) libcurl 7.9.7 (OpenSSL 0.9.6c)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-15 17:57 UTC] daniel at haxx dot se
(I'm the main author of libcurl, in which this crash happens)

I believe the problem is related to what data that is actually passed in to libcurl for the CURLOPT_POSTFIELDS option.

If CURLOPT_POSTFIELDS is unused, or set to 0 (zero), libcurl will strlen() the previous pointer to find out the length of it. Frame #2 shows the library depending on the pointer and a zero termination.
 [2002-05-21 15:47 UTC] edink@php.net
Thanks to daniel@haxx.se this was confirmed to be a bug in libcurl which will be fixed in the next release.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Oct 18 19:01:28 2019 UTC