php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41353 openssl_pkcs12_read() does not verify the type of the first arg
Submitted: 2007-05-10 13:23 UTC Modified: 2007-05-13 17:37 UTC
From: tony2001@php.net Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 5CVS-2007-05-10 (CVS) OS: Linux
Private report: No CVE-ID:
 [2007-05-10 13:23 UTC] tony2001@php.net
Description:
------------
Function openssl_pkcs12_read() does not check the type of the first argument and uses it as a string in the call to BIO_write().
So if you pass a number as the first parameter, BIO_write() is called with a garbage params and segfaults.

Reproduce code:
---------------
$a = 2;
openssl_pkcs12_read(1, $a, 1);

Actual result:
--------------
(gdb) r -r '$a = 2; openssl_pkcs12_read(1, $a, 1);'
Starting program: /home/tony/php-src_5_2/sapi/cli/php -r '$a = 1; openssl_pkcs12_read(1, $a, 1);'
[Thread debugging using libthread_db enabled]
[New Thread 182900459904 (LWP 1209)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182900459904 (LWP 1209)]
0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
(gdb) bt
#0  0x00000031aef70bc0 in memcpy () from /lib64/tls/libc.so.6
#1  0x0000000000ac9f4b in mem_write ()
#2  0x0000000000ac9136 in BIO_write ()
#3  0x0000000000499009 in zif_openssl_pkcs12_read (ht=3, return_value=0x2a95b92fe8, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, tsrm_ls=0x1080450)
    at /home/tony/php-src_5_2/ext/openssl/openssl.c:1565
#4  0x0000000000a1693e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:200
#5  0x0000000000a1c49a in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fbffff1b0, tsrm_ls=0x1080450) at zend_vm_execute.h:1681
#6  0x0000000000a16246 in execute (op_array=0x2a95b928a0, tsrm_ls=0x1080450) at zend_vm_execute.h:92
#7  0x00000000009cc67e in zend_eval_string (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1148
#8  0x00000000009cc8ca in zend_eval_string_ex (str=0x7fbffffbf9 "$a = 1; openssl_pkcs12_read(1, $a, 1);", retval_ptr=0x0, string_name=0xdfa8fc "Command line code",
    handle_exceptions=1, tsrm_ls=0x1080450) at /home/tony/php-src_5_2/Zend/zend_execute_API.c:1182
#9  0x0000000000a92527 in main (argc=3, argv=0x7fbffff9e8) at /home/tony/php-src_5_2/sapi/cli/php_cli.c:1177


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-13 17:37 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 10:02:10 2014 UTC