php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26235 Bad results in yp_first/yp_next with a Solaris NIS server
Submitted: 2003-11-13 05:56 UTC Modified: 2007-04-04 19:05 UTC
From: benoit dot sibaud at rd dot francetelecom dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.3.4 OS: Debian GNU/Linux Woody
Private report: No CVE-ID:
 [2003-11-13 05:56 UTC] benoit dot sibaud at rd dot francetelecom dot com
Description:
------------
YP/NIS server is a Solaris 2.7 Sparc.
PHP clients are Debian GNU/Linux Intel (several versions). (php version 4.1.2, at the beginning).

It looks like there is some problems with (non)null terminated strings in yp_first and yp_next functions.

The following patch sanitizes the outkey in yp_first and yp_next (code taken from yp_cat), and removes the unneeded warning from bug #12345, "[16 Oct 2002 9:14am EDT] tshort at cisco dot com"

--- php-4.3.4/ext/yp/yp.c       2003-09-26 12:13:30.000000000 +0200
+++ php-4.1.2-patched/ext/yp/yp.c       2003-11-13 09:48:32.000000000 +0100
@@ -167,7 +167,7 @@
 PHP_FUNCTION(yp_first)
 {
        pval **domain, **map;
-       char *outval, *outkey;
+       char *outval, *outkey, *goodkey;
        int outvallen, outkeylen;

        if((ZEND_NUM_ARGS() != 2) || zend_get_parameters_ex(2,&domain,&map) == FAILURE) {
@@ -182,7 +182,15 @@
                RETURN_FALSE;
        }
        array_init(return_value);
-       add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);
+       goodkey = emalloc(outkeylen+1);
+       if(goodkey) {
+               strlcpy(goodkey, outkey, outkeylen+1);
+               add_assoc_stringl_ex(return_value, goodkey, outkeylen+1, outval, outvallen, 1);
+               efree(goodkey);
+       } else {
+               php_error(E_WARNING, "Can't allocate %d bytes for key buffer in yp_next()", outkeylen+1);
+       }
+/*     add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);*/

        /* Deprecated */
        add_assoc_stringl(return_value,"key",outkey,outkeylen,1);
@@ -195,7 +203,7 @@
 PHP_FUNCTION(yp_next)
 {
        pval **domain, **map, **key;
-       char *outval, *outkey;
+       char *outval, *outkey, *goodkey;
        int outvallen, outkeylen;

        if((ZEND_NUM_ARGS() != 3) || zend_get_parameters_ex(3,&domain,&map,&key) == FAILURE) {
@@ -207,12 +215,20 @@
        convert_to_string_ex(key);

        if((YP(error) = yp_next(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key), &outkey, &outkeylen, &outval, &outvallen))) {
-               php_error(E_WARNING, yperr_string (YP(error)));
+               /*php_error(E_WARNING, yperr_string (YP(error)));*/
                RETURN_FALSE;
        }
        array_init(return_value);
-       add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);
+       goodkey = emalloc(outkeylen+1);
+       if(goodkey) {
+               strlcpy(goodkey, outkey, outkeylen+1);
+               add_assoc_stringl_ex(return_value, goodkey, outkeylen+1, outval, outvallen, 1);
+               efree(goodkey);
+       } else {
+               php_error(E_WARNING, "Can't allocate %d bytes for key buffer in yp_next()", outkeylen+1);
+       }
+/*     add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1); */
 }
 /* }}} */


Reproduce code:
---------------
<?php
$entry = yp_first($domain, $map);
$key = $entry ["key"];
echo "key #" . $key . "# value #" . $entry["value"]."#\n";

while ($entry) {
  $entry = yp_next($domain, $map, $key);
  if ($entry) {
    $key = key ($entry);
    $yplist[$key] = $entry[$key];
    echo "key #" . $key . "# value #" . $entry[$key]."#\n";
  } 
}
?>


Expected result:
----------------
### With PHP 3.0.18 (from Debian GNU/Linux Woody), this script works.

key #goodkey1# value #goodvalue1#
key #goodkey2# value #goodvalue2#
(...)
key #goodkey3# value #goodvalue3#

### With PHP 4.1.2 (from Debian GNU/Linux Woody) + php-4.3.4/ext/yp/yp.c + patch

It works.

Actual result:
--------------
### With PHP 4.1.2 (from Debian GNU/Linux Woody), this script fails.

key #goodkey1# value #goodvalue1#
key #goodkey2# value ##
(...)
key #goodkey3# value ##
<br />
<b>Warning</b>:  No more records in map database in <b>foobar.php</b> on
line <b>11</b><br />

Debug with serialization and print_r:

a:3:{s:7:"goodkey1_without_last_char";s:99:"goodvalue1";s:3:"key";s:8:"goodkey1";s:5:"value";s:99:"goodvalue1";}
Array
(
    [goodkey1+garbage] => goodvalue1
    [key] => goodkey1
    [value] => goodvalue1
)
key #goodkey1# value #goodvalue1#
a:1:{s:7:"goodkey2_without_last_char";s:93:"goodvalue2";}
Array
(
    [goodkey2+garbage] => goodvalue2
)
key #goodkey2# value ##

### With PHP 4.1.2 (from Debian GNU/Linux Woody) + php-4.3.4/ext/yp/yp.c (I believe it's equivalent to a full PHP 4.3.4 for this test)

Same wrong results.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-13 19:30 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC