php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #26235 Bad results in yp_first/yp_next with a Solaris NIS server
Submitted: 2003-11-13 05:56 UTC Modified: 2007-04-04 19:05 UTC
From: benoit dot sibaud at rd dot francetelecom dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.3.4 OS: Debian GNU/Linux Woody
Private report: No CVE-ID: None
View Developer Edit
 [2003-11-13 05:56 UTC] benoit dot sibaud at rd dot francetelecom dot com 
Description:
------------
YP/NIS server is a Solaris 2.7 Sparc.
PHP clients are Debian GNU/Linux Intel (several versions). (php version 4.1.2, at the beginning).

It looks like there is some problems with (non)null terminated strings in yp_first and yp_next functions.

The following patch sanitizes the outkey in yp_first and yp_next (code taken from yp_cat), and removes the unneeded warning from bug #12345, "[16 Oct 2002 9:14am EDT] tshort at cisco dot com"

--- php-4.3.4/ext/yp/yp.c       2003-09-26 12:13:30.000000000 +0200
+++ php-4.1.2-patched/ext/yp/yp.c       2003-11-13 09:48:32.000000000 +0100
@@ -167,7 +167,7 @@
 PHP_FUNCTION(yp_first)
 {
        pval **domain, **map;
-       char *outval, *outkey;
+       char *outval, *outkey, *goodkey;
        int outvallen, outkeylen;

        if((ZEND_NUM_ARGS() != 2) || zend_get_parameters_ex(2,&domain,&map) == FAILURE) {
@@ -182,7 +182,15 @@
                RETURN_FALSE;
        }
        array_init(return_value);
-       add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);
+       goodkey = emalloc(outkeylen+1);
+       if(goodkey) {
+               strlcpy(goodkey, outkey, outkeylen+1);
+               add_assoc_stringl_ex(return_value, goodkey, outkeylen+1, outval, outvallen, 1);
+               efree(goodkey);
+       } else {
+               php_error(E_WARNING, "Can't allocate %d bytes for key buffer in yp_next()", outkeylen+1);
+       }
+/*     add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);*/

        /* Deprecated */
        add_assoc_stringl(return_value,"key",outkey,outkeylen,1);
@@ -195,7 +203,7 @@
 PHP_FUNCTION(yp_next)
 {
        pval **domain, **map, **key;
-       char *outval, *outkey;
+       char *outval, *outkey, *goodkey;
        int outvallen, outkeylen;

        if((ZEND_NUM_ARGS() != 3) || zend_get_parameters_ex(3,&domain,&map,&key) == FAILURE) {
@@ -207,12 +215,20 @@
        convert_to_string_ex(key);

        if((YP(error) = yp_next(Z_STRVAL_PP (domain), Z_STRVAL_PP (map), Z_STRVAL_PP (key), Z_STRLEN_PP (key), &outkey, &outkeylen, &outval, &outvallen))) {
-               php_error(E_WARNING, yperr_string (YP(error)));
+               /*php_error(E_WARNING, yperr_string (YP(error)));*/
                RETURN_FALSE;
        }
        array_init(return_value);
-       add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1);
+       goodkey = emalloc(outkeylen+1);
+       if(goodkey) {
+               strlcpy(goodkey, outkey, outkeylen+1);
+               add_assoc_stringl_ex(return_value, goodkey, outkeylen+1, outval, outvallen, 1);
+               efree(goodkey);
+       } else {
+               php_error(E_WARNING, "Can't allocate %d bytes for key buffer in yp_next()", outkeylen+1);
+       }
+/*     add_assoc_stringl_ex(return_value,outkey,outkeylen,outval,outvallen,1); */
 }
 /* }}} */


Reproduce code:
---------------
<?php
$entry = yp_first($domain, $map);
$key = $entry ["key"];
echo "key #" . $key . "# value #" . $entry["value"]."#\n";

while ($entry) {
  $entry = yp_next($domain, $map, $key);
  if ($entry) {
    $key = key ($entry);
    $yplist[$key] = $entry[$key];
    echo "key #" . $key . "# value #" . $entry[$key]."#\n";
  } 
}
?>


Expected result:
----------------
### With PHP 3.0.18 (from Debian GNU/Linux Woody), this script works.

key #goodkey1# value #goodvalue1#
key #goodkey2# value #goodvalue2#
(...)
key #goodkey3# value #goodvalue3#

### With PHP 4.1.2 (from Debian GNU/Linux Woody) + php-4.3.4/ext/yp/yp.c + patch

It works.

Actual result:
--------------
### With PHP 4.1.2 (from Debian GNU/Linux Woody), this script fails.

key #goodkey1# value #goodvalue1#
key #goodkey2# value ##
(...)
key #goodkey3# value ##
<br />
<b>Warning</b>:  No more records in map database in <b>foobar.php</b> on
line <b>11</b><br />

Debug with serialization and print_r:

a:3:{s:7:"goodkey1_without_last_char";s:99:"goodvalue1";s:3:"key";s:8:"goodkey1";s:5:"value";s:99:"goodvalue1";}
Array
(
    [goodkey1+garbage] => goodvalue1
    [key] => goodkey1
    [value] => goodvalue1
)
key #goodkey1# value #goodvalue1#
a:1:{s:7:"goodkey2_without_last_char";s:93:"goodvalue2";}
Array
(
    [goodkey2+garbage] => goodvalue2
)
key #goodkey2# value ##

### With PHP 4.1.2 (from Debian GNU/Linux Woody) + php-4.3.4/ext/yp/yp.c (I believe it's equivalent to a full PHP 4.3.4 for this test)

Same wrong results.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-13 19:30 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 11:01:28 2024 UTC