php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39883 ftp_get - coredump
Submitted: 2006-12-19 12:41 UTC Modified: 2008-07-11 21:26 UTC
Votes:4
Avg. Score:4.2 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:1 (25.0%)
From: youza at post dot cz Assigned:
Status: Wont fix Package: FTP related
PHP Version: 4.4.4 OS: Fedora Core 4
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: youza at post dot cz
New email:
PHP Version: OS:

 

 [2006-12-19 12:41 UTC] youza at post dot cz
Description:
------------
The ftp_get file transfer generate core dump -

[notice] child pid 5999 exit signal Segmentation fault (11), possible coredump in /usr/tmp

after reloading WWW this file transfered, but next reload
generate new core dump etc....

php =  4.4.4
apache = httpd-2.0.54-10.4 (fedora RPM)



Reproduce code:
---------------
$ftp_server = 'my_server';
$ftp_user_name = 'my_name';
$ftp_user_pass = 'my_pass';

// define some variables
$local_file = 'test_l.dat';
$server_file = 'test.dat';

// set up basic connection
$conn_id = ftp_connect($ftp_server);

// login with username and password
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);

// try to download $server_file and save to $local_file
$res = ftp_get($conn_id, $local_file, $server_file, FTP_BINARY);
if ($res) {
    echo "<br>Successfully written to $local_file\n";
} else {
    echo "<br>There was a problem\n";
}

// close the connection
ftp_close($conn_id);

Expected result:
----------------
Transfer the files.



Actual result:
--------------
gdb /usr/lib/debug/usr/sbin/httpd.debug /usr/tmp/core.5999 

..


#0  0x00ff32f4 in ?? () from /etc/httpd/modules/libphp4.so
(gdb) bt
#0  0x00ff32f4 in ?? () from /etc/httpd/modules/libphp4.so
#1  0x01028920 in zif_ftp_get (ht=4, return_value=0xad4d0cc, this_ptr=0x0, return_value_used=1)
    at /usr/src/debug/php-4.4.4/ext/ftp/php_ftp.c:648
#2  0x010ffb85 in execute (op_array=0xad48c8c) at /usr/src/debug/php-4.4.4/Zend/zend_execute.c:1675
#3  0x010e6139 in zend_execute_scripts (type=8, retval=Variable "retval" is not available.
) at /usr/src/debug/php-4.4.4/Zend/zend.c:934
#4  0x010b72f5 in php_execute_script (primary_file=0xbfc36408) at /usr/src/debug/php-4.4.4/main/main.c:1752
#5  0x0110576e in php_handler (r=0xad417f8) at /usr/src/debug/php-4.4.4/sapi/apache2handler/sapi_apache2.c:596
#6  0x002fde8c in ap_run_handler (r=0xad417f8) at /usr/src/debug/httpd-2.0.54/server/config.c:157
#7  0x002fe227 in ap_invoke_handler (r=0xad417f8) at /usr/src/debug/httpd-2.0.54/server/config.c:369
#8  0x002fad6b in ap_process_request (r=0xad417f8) at /usr/src/debug/httpd-2.0.54/modules/http/http_request.c:249
#9  0x002f5683 in ap_process_http_connection (c=0xad3b5b0) at /usr/src/debug/httpd-2.0.54/modules/http/http_core.c:251
#10 0x00308a2b in ap_run_process_connection (c=0xad3b5b0) at /usr/src/debug/httpd-2.0.54/server/connection.c:43
#11 0x00308d60 in ap_process_connection (c=0xad3b5b0, csd=0xad3b4d8) at /usr/src/debug/httpd-2.0.54/server/connection.c:176
#12 0x002fbcfe in child_main (child_num_arg=Variable "child_num_arg" is not available.
) at /usr/src/debug/httpd-2.0.54/server/mpm/prefork/prefork.c:610
#13 0x002fbfba in make_child (s=0x9cc9e88, slot=24) at /usr/src/debug/httpd-2.0.54/server/mpm/prefork/prefork.c:704
#14 0x002fc090 in startup_children (number_to_start=6) at /usr/src/debug/httpd-2.0.54/server/mpm/prefork/prefork.c:722
#15 0x002fca52 in ap_mpm_run (_pconf=0x9cc80a8, plog=0x9cf4158, s=0x9cc9e88)
    at /usr/src/debug/httpd-2.0.54/server/mpm/prefork/prefork.c:941
#16 0x0030377e in main (argc=2, argv=0xbfc368b4) at /usr/src/debug/httpd-2.0.54/server/main.c:619

frame 2
#2  0x010ffb85 in execute (op_array=0xad48c8c) at /usr/src/debug/php-4.4.4/Zend/zend_execute.c:1675
1675                                                            ((zend_internal_function *) EX(function_state).function)->handler(EX(opline)->extended_value, EX(Ts)[EX(opline)->result.u.var].var.ptr, EX(object).ptr, return_value_used TSRMLS_CC);

(gdb) print (char *)(executor_globals.function_state_ptr->function)->common.function_name
$1 = 0x110efc5 "ftp_get"

(gdb) print (char *)executor_globals.active_op_array->function_name
$2 = 0x0



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-20 13:49 UTC] youza at post dot cz
Hmm I run this command with my version PHP 4.4.4 (no CVS)and this command is ok -file transferred.
/usr/bin/php -c ./etc/php.ini test.php

But access this page over www  http:/my.server/test.php
is buggy and produce coredump.
cli version is ok byt apache module is bad ?
 [2006-12-20 14:01 UTC] tony2001@php.net
Please set up different Apache instance listening to different port and using the latest snapshot.
 [2006-12-22 09:32 UTC] youza at post dot cz
I use new apache instance and last php CVS (php4-STABLE-200612210930.tar.gz)- the changes is config only port, and
path to  *.so php file
The result:
apache errot log does not contain the Segmentation fault
message but file is'nt copied. In the script directory (php ??) create file "0"  - the file contains: 
[22-Dec-2006 10:16:11] PHP Warning:  ftp_get(): Opening BINARY mode data connection for test.dat (1106982 bytes). in /web/docs/tester/youza/ftp/test.php on line 35

I running stace - this is result:
.......
open("/web/docs/tester/youza/ftp/test.php", O_RDONLY) = 1736
fstat64(1736, {st_mode=S_IFREG|0644, st_size=1025, ...}) = 0
fstat64(1736, {st_mode=S_IFREG|0644, st_size=1025, ...}) = 0
lseek(1736, 0, SEEK_CUR)                = 0
lseek(1736, 0, SEEK_SET)                = 0
read(1736, "<?\r\n#error_reporting (E_ALL);\r\n#"..., 8192) = 1025
read(1736, "", 8192)                    = 0
close(1736)                             = 0
time(NULL)                              = 1166779143
open("/etc/hosts", O_RDONLY)            = 1736
fcntl64(1736, F_GETFD)                  = 0
fcntl64(1736, F_SETFD, FD_CLOEXEC)      = 0
fstat64(1736, {st_mode=S_IFREG|0644, st_size=191, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f1c000
read(1736, "# Do not remove the following li"..., 4096) = 191
close(1736)                             = 0
munmap(0xb7f1c000, 4096)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1736
connect(1736, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("193.165.254.13")}, 16) = 0
getsockname(1736, {sa_family=AF_INET, sin_port=htons(45096), sin_addr=inet_addr("193.165.254.13")}, [16]) = 0
select(1737, [1025 1027 1028 1030 1091 1092 1093 1095 1096 1098 1099 1101 1102 1103 1104 1108 1109 1110 1111 1122 1123 1127 1130 1131 1132 1135 1137 1143 1144 1147 1154 1162 1163 1164 1167 1169 1175 1176 1179 1187 1188 1189 1190 1191 1192 1197 1198 1200 1201 1202 1203 1204 1205 1207 1208 1209 1210 1211 1212 1213 1215 1221 1223 1226 1227 1228 1230 1232 1233 1234 1235 1236 1238 1239 1260 1377 1379 1380 1382 1410 1411 1415 1418 1419 1420 1423 1425 1431 1432 1435 1452 1475 1476 1477 1479 1480 1482 1483 1485 1486 1487 1488 1492 1493 1494 1495 1507 1514 1515 1516 1519 1521 1527 1528 1531 1538 1546 1547 1548 1551 1553 1559 1560 1563 1571 1572 1573 1577 1581 1582 1584 1585 1586 1587 1588 1589 1591 1592 1593 1594 1595 1596 1597 1599 1600 1606 1610 1611 1612 1613 1614 1616 1617 1618 1619 1620 1622 1623 1635 1638 1639 1641 1642 1667 1674 1675 1676 1679 1681 1687 1688 1691 1699 1701 1705 1709 1710 1712 1713 1714 1715 1716 1717 1719 1720 1721 1722 1723 1724 1725 1727 1733 1736], NULL, NULL, {90, 0}) = 192 (in [1025 1027 1028 1030 1091 1092 1093 1095 1096 1098 1099 1101 1102 1103 1104 1108 1109 1110 1111 1122 1123 1127 1130 1131 1132 1135 1137 1143 1144 1147 1154 1162 1163 1164 1167 1169 1175 1176 1179 1187 1188 1189 1190 1191 1192 1197 1198 1200 1201 1202 1203 1204 1205 1207 1208 1209 1210 1211 1212 1213 1215 1221 1223 1226 1227 1228 1230 1232 1233 1234 1235 1236 1238 1239 1260 1377 1379 1380 1382 1410 1411 1415 1418 1419 1420 1423 1425 1431 1432 1435 1452 1475 1476 1477 1479 1480 1482 1483 1485 1486 1487 1488 1492 1493 1494 1495 1507 1514 1515 1516 1519 1521 1527 1528 1531 1538 1546 1547 1548 1551 1553 1559 1560 1563 1571 1572 1573 1577 1581 1582 1584 1585 1586 1587 1588 1589 1591 1592 1593 1594 1595 1596 1597 1599 1600 1606 1610 1611 1612 1613 1614 1616 1617 1618 1619 1620 1622 1623 1635 1638 1639 1641 1642 1667 1674 1675 1676 1679 1681 1687 1688 1691 1699 1701 1705 1709 1710 1712 1713 1714 1715 1716 1717 1719 1720 1721 1722 1723 1724 1725 1727 1733], left {90, 0})
recv(1736, "220 FTP\r\n", 4096, 0)      = 9
select(1737, NULL, [1025 1027 1028 1030 1091 1092 1093 1095 1096 1098 1099 1101 1102 1103 1104 1108 1109 1110 1111 1120 1122 1123 1154 1156 1159 1162 1163 1165 1167 1169 1175 1176 1179 1187 1188 1189 1190 1191 1192 1197 1198 1200 1201 1202 1203 1204 1205 1207 1208 1209 1210 1211 1212 1213 1215 1218 1219 1220 1221 1224 1226 1228 1230 1232 1233 1234 1235 1236 1238 1239 1248 1250 1251 1284 1285 1288 1289 1290 1293 1295 1296 1298 1299 1301 1302 1303 1315 1316 1321 1322 1323 1325 1326 1329 1330 1331 1333 1334 1335 1346 1347 1348 1349 1352 1354 1355 1357 1358 1359 1361 1367 1368 1371 1379 1380 1381 1383 1384 1386 1387 1389 1390 1391 1392 1396 1397 1398 1399 1411 1412 1417 1418 1419 1421 1422 1425 1426 1427 1429 1430 1431 1442 1450 1451 1452 1455 1457 1463 1464 1467 1475 1476 1477 1479 1480 1482 1483 1485 1486 1487 1488 1492 1493 1494 1495 1506 1514 1515 1516 1519 1521 1527 1528 1531 1571 1573 1577 1581 1582 1584 1585 1586 1587 1588 1589 1591 1592 1593 1594 1595 1596 1597 1599 1601 1602 1607 1611 1612 1613 1614 1616 1617 1618 1619 1620 1622 1623 1635 1637 1638 1641 1645 1646 1648 1649 1650 1651 1652 1653 1655 1656 1657 1658 1659 1660 1661 1663 1666 1667 1669 1672 1673 1677 1681 1687 1688 1691 1698 1706 1707 1708 1711 1713 1719 1720 1723 1729 1730 1733 1735 1736], NULL, {90, 0}) = 251 (out [1025 1027 1028 1030 1091 1092 1093 1095 1096 1098 1099 1101 1102 1103 1104 1108 1109 1110 1111 1120 1122 1123 1154 1156 1159 1162 1163 1165 1167 1169 1175 1176 1179 1187 1188 1189 1190 1191 1192 1197 1198 1200 1201 1202 1203 1204 1205 1207 1208 1209 1210 1211 1212 1213 1215 1218 1219 1220 1221 1224 1226 1228 1230 1232 1233 1234 1235 1236 1238 1239 1248 1250 1251 1284 1285 1288 1289 1290 1293 1295 1296 1298 1299 1301 1302 1303 1315 1316 1321 1322 1323 1325 1326 1329 1330 1331 1333 1334 1335 1346 1347 1348 1349 1352 1354 1355 1357 1358 1359 1361 1367 1368 1371 1379 1380 1381 1383 1384 1386 1387 1389 1390 1391 1392 1396 1397 1398 1399 1411 1412 1417 1418 1419 1421 1422 1425 1426 1427 1429 1430 1431 1442 1450 1451 1452 1455 1457 1463 1464 1467 1475 1476 1477 1479 1480 1482 1483 1485 1486 1487 1488 1492 1493 1494 1495 1506 1514 1515 1516 1519 1521 1527 1528 1531 1571 1573 1577 1581 1582 1584 1585 1586 1587 1588 1589 1591 1592 1593 1594 1595 1596 1597 1599 1601 1602 1607 1611 1612 1613 1614 1616 1617 1618])
send(1736, "USER tester\r\n", 13, 0)    = 13
select(1737, [1025 1027 1028 1030 1091 1092 1093 1095 1096 1098 1099 1101 1102 1103 1104 1108 1109 1110 1111 1122 1123 1127 1130 1131 1132 1135 1137 1143 1144 1147 1154 1162 1163 1164 1167 1169 1175 1176 1179 1187 1188 1189 1190 1191 1192 1197 1198 1200 1201 1202 1203 1204 1205 1207 1208 1209 1210 1211 1212 1213 1215 1221 1223 1226 1227 1228 1230 1232 1233 1234 1235 1236 1238 1239 1260 1284 1285 1288 1289 1290 1293 1295 1296 1298 1299 1301 1302 1303 1315 1316 1321 1322 1323 1325 1326 1329 1330 1331 1333 1334 1335 1346 1347 1348 1349 1352 1354 1355 1357 1358 1359 1361 1367 1368 1371 1379 1380 1381 1383 1384 1386 1387 1389 1390 1391 1392 1396 1397 1398 1399 1410 1411 1415 1418 1419 1420 1423 1425 1431 1432 1435 1452 1475 1476 1477 1479 1480 1482 1483 1485 1486 1487 1488 1492 1493 1494 1495 1506 1514 1515 1516 1519 1521 1527 1528 1531 1571 1573 1577 1581 1582 1584 1585 1586 1587 1588 1589 1591 1592 1593 1594 1595 1596 1597 1599 1600 1601 1603 1604 1607 1611 1612 1613 1614 1616 1617 1618 1619 1620 1622 1623 1635 1637 1638 1641 1645 1646 1648 1649 1650 1651 1652 1653 1655 1656 1657 1658 1659 1660 1661 1663 1666 1667 1669 1672 1673 1677 1681 1687 1688 1691 1698 1706 1707 1708 1711 1713 1719 1720 1723 1729 1730 1733 1735 1736], NULL, NULL, {90, 0}*** buffer overflow detected ***: strace terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc23bc5]
/lib/libc.so.6(__strcpy_chk+0x0)[0xc23218]
strace[0x804fbd7]
strace[0x804c7bb]
strace[0x804b8f9]
/lib/libc.so.6(__libc_start_main+0xdf)[0xb5ad7f]
strace[0x80495f1]
======= Memory map: ========
00b27000-00b28000 r-xp 00b27000 00:00 0          [vdso]
00b28000-00b42000 r-xp 00000000 09:01 7070985    /lib/ld-2.3.6.so
00b42000-00b43000 r-xp 00019000 09:01 7070985    /lib/ld-2.3.6.so
00b43000-00b44000 rwxp 0001a000 09:01 7070985    /lib/ld-2.3.6.so
00b46000-00c69000 r-xp 00000000 09:01 7070987    /lib/libc-2.3.6.so
00c69000-00c6b000 r-xp 00122000 09:01 7070987    /lib/libc-2.3.6.so
00c6b000-00c6d000 rwxp 00124000 09:01 7070987    /lib/libc-2.3.6.so
00c6d000-00c6f000 rwxp 00c6d000 00:00 0 
00cd7000-00ce0000 r-xp 00000000 09:01 7071004    /lib/libgcc_s-4.0.2-20051126.so.1
00ce0000-00ce1000 rwxp 00009000 09:01 7071004    /lib/libgcc_s-4.0.2-20051126.so.1
08048000-08076000 r-xp 00000000 09:01 2163745    /usr/bin/strace
08076000-08077000 rw-p 0002e000 09:01 2163745    /usr/bin/strace
08077000-0807e000 rw-p 08077000 00:00 0 
08357000-08378000 rw-p 08357000 00:00 0          [heap]
b7f1b000-b7f1c000 rw-p b7f1b000 00:00 0 
b7f27000-b7f28000 rw-p b7f27000 00:00 0 
bf906000-bf91b000 rw-p bf906000 00:00 0          [stack]
Aborted
 [2006-12-22 15:35 UTC] tony2001@php.net
>but file is'nt copied. In the script directory (php ??)
> create file "0"  - the file contains: 

Doesn't make any sense to me..
Are you able to reproduce it with any public accessible FTP server?
 [2007-01-03 15:10 UTC] youza at post dot cz
Yes I reproduce it in the public FTP server:
URL:  ftp://atrey.karlin.mff.cuni.cz/welcome.msg

Result:
Warning: ftp_get(): Opening BINARY mode data connection for welcome.msg (241 bytes). in /web/docs/tester/youza/ftp/test.php on line 43 

apache error.log:
child pid 24559 exit signal Segmentation fault (11)

The file not copied but create empty:
-rw-rw-r--  1 apache webuser    0 Jan  3 16:04 test_l.dat
 [2007-01-03 15:30 UTC] tony2001@php.net
Are you able to replicate it using PHP CLI? Or is it reproducible only with Apache2?
For the record, I don't see any problems with fetching the "welcome.msg" from the server you mentioned using the reproduce code of yours with _both_ Apache2/worker and PHP CLI.
 [2007-01-08 10:26 UTC] youza at post dot cz
No, the PHP CLI command is ok and file is transferred.
I use  the  ftp_nb_get - this function ok (no problem).
What's the difference between  ftp_get and ftp_nb_get in the
source code ? 

Hmm,  our server is very mass hosting system - the number of
virtual servers is cca  1800 (not all very active). The config contains : ( example for one virtual)

<VirtualHost 111.111.111.111>
DocumentRoot /path/to/home/
ServerName www.xxxxxxx.xx
TransferLog /var/log/httpd/XXX/home/access
php_admin_value include_path   .:/path/to/home/
php_admin_value doc_root       /path/to/home/
php_admin_value open_basedir   /path/to/home/
</VirtualHost>

i reduce the number of virtulas to 950 and  ftp_get work
ok ( 20 times test).

The next tests is very interesting !!!!
1. Virtual hosts  1205 - error ( segmentation fault)

2. Virtual hosts  1204 - different error - www page in the Firefox show error and the same error messages were saved to  file name "0"  -  zero !!! FTP file not transferred.
-rw-rw-r--  1 apache webuser  445 Jan  8 10:06 0

The "0" file contains:
[08-Jan-2007 10:00:17] PHP Warning:  ftp_login() expects parameter 1 to be resource, boolean given in /path/to/home/test.php on line 37
[08-Jan-2007 10:00:17] PHP Warning:  ftp_get() expects parameter 1 to be resource, boolean given in /path/to/home/test.php on line 43
[08-Jan-2007 10:00:17] PHP Warning:  ftp_close() expects parameter 1 to be resource, boolean given in /path/to/home/test.php on line 51


3. Virtual hosts  1203 - error Segmentation fault ftp file not transferred buf
the directory contains the empty destination file:
-rw-rw-r--  1 apache webuser    0 Jan  8 10:16 test_l.dat

4. Virtual hosts 1202  the same  like 3.

5. Virtual hosts 1201  the same  like 2. but error message
   in web browser and "0" file is: 
[08-Jan-2007 10:17:47] PHP Warning:  ftp_get(): Opening BINARY mode data connection for welcome.msg (241 bytes). in /path/to/home/test.php on line 43

6. Virtual hosts  <= 1200  - work OK, file transferred ( 20 tests)  


Apache and php not produce any error message with file or system limits problem.
The system limits:  ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
file size               (blocks, -f) unlimited
pending signals                 (-i) 32765
max locked memory       (kbytes, -l) 32
max memory size         (kbytes, -m) unlimited
open files                      (-n) 4096
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 32765
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

/proc/sys/fs/file-max  206037
/proc/sys/fs/file-nr  4096 0  206037

The system: Linux version 2.6.17-1.2142_FC4smp  FC4
glibc-2.3.6,  httpd-2.0.54

httpd -l
Compiled in modules:
  core.c
  prefork.c
  http_core.c
  mod_so.c
The apache working model: prefork.

I don't get it .
 [2007-01-11 09:57 UTC] tony2001@php.net
I don't get it either.
If there is no way to reproduce it NOT on your server, then I'd suspect that the problem is somewhere else on your server and not in PHP.
 [2007-07-18 10:03 UTC] youza at post dot cz
This problem  relate to system call  select() and max size of
structure  fd_set - relate to __FD_SETSIZE
__FD_SETSIZE increase to 65536 in files:
/usr/include/bits/typesizes.h
/usr/include/linuxthreads/bits/typesizes.h
/usr/include/linux/posix_types.h

recompile PHP and the core dump there's not again.
 [2008-07-11 21:26 UTC] jani@php.net
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Oct 17 22:03:32 2021 UTC