php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46082 [PATCH] stream_set_blocking() can cause a crash in some circumstances
Submitted: 2008-09-14 23:19 UTC Modified: 2008-10-24 10:46 UTC
From: shaunspiller at gmail dot com Assigned: felipe
Status: Closed Package: Streams related
PHP Version: 5.2.6 OS: Windows
Private report: No CVE-ID:
 [2008-09-14 23:19 UTC] shaunspiller at gmail dot com
Description:
------------
Hello developers!

I found what looks like a reproducible crash in the stream/sockets/thingy. I think...


Code to reproduce:
------------------
<?php

var_dump($s = stream_socket_server('tcp://0.0.0.0:1234', $errno, $errstr, 0));
var_dump(stream_set_blocking($s, false));

echo 'hello';

?>

The var_dumps and echo are not necessary to cause the problem, but just to show the tracing of the code.


Expected result:
----------------
resource(5) of type (stream)
bool(true)
hello


Actual result:
--------------
resource(5) of type (stream)


...And then the darn thing just implodes -- doesn't even say goodbye, nevermind hello. If STREAM_SERVER_BIND is specified for the flags to stream_socket_server() then it works fine.


Tested on all the PHP versions I had installed (using the CLI interface):
6.0.0-dev (Windows): crashes
5.2.6 (Windows): crashes
5.2.5 (Windows): crashes
5.2.3 (Windows): crashes
5.2.4-2ubuntu5.3 (Linux): no crash (typicial of Linux to be different huh? :)


Backtrace what-cha-ma-call-it:
------------------------------

(This was generated with PHP 5.2.6.)

Thread 0 - System ID 2864
Entry point                 php!mainCRTStartup 
Create time                 2008-09-13 23:00:03 
Time spent in user mode     0 Days 0:0:0.46 
Time spent in kernel mode   0 Days 0:0:0.31 

Function                                        Arg 1        Arg 2        Arg 3       Source 
php5ts!xbuf_format_converter+68a                00c0f978     102c178d     00c0fa04    
php5ts!vspprintf+29                             00c0f9b0     00000000     102c178c    
php5ts!php_verror+4d                            00000000     102c169c     00000002    
php5ts!php_error_docref0+23                     00000000     00f11d10     00000002    
php5ts!php_set_sock_blocking+45                 ffffffff     00000001     00f11d10    
php5ts!php_sockop_set_option+121                011ee248     00000001     00000000    
php5ts!php_tcp_sockop_set_option+56e            011ee248     00000001     00000000    
php5ts!_php_stream_set_option+2c                011ee248     00000001     00000000    
php5ts!zif_stream_set_blocking+10c              011e28f8     011ee1a0     00000000    
php5ts!zend_do_fcall_common_helper_SPEC+7d9     00c0fbd0     00f11d10     011ed67f    
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+e5      00000000     00f11d10     00f11d10    
php5ts!execute+1c5                              011ed6e0     00f11d10     00000000    
php5ts!zend_execute_scripts+107                 00000008     00f11d10     00000000    
php5ts!php_execute_script+20d                   00c0fec8     00f11d10     00000000    
php!main+c07                                    00000003     00f11d80     00f10c10    
php!mainCRTStartup+e3                           00000000     00000000     7ffde000    
kernel32!IsProcessorFeaturePresent+9e           00402fc2     00000000     000000c1    

PHP5TS!XBUF_FORMAT_CONVERTER+68AIn php__PID__2860__Date__09_13_2008__Time_11_00_07PM__202__Second_Chance_Exception_C0000005.dmp the assembly instruction at php5ts!xbuf_format_converter+68a in c:\Server\php\php5ts.dll from The PHP Group has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00002736 on thread 0



(Actually, all I wanted to do was use SSL with the sockets extension. But it doesn't seem to support that so I switched my program to the stream_socket functions instead. But that doesn't seem to support raw sockets, except under stream_socket_pair() (What's the point of that function anyway? It doesn't let you connect to anything!). So I tried to use the context/options/params thing to set up a notification function so I could let stream_sockets notifications be sent directly to the handler functions while socket_select handles ordinary Berkeley sockets events, because I need them both, but I couldn't get the notification thing working at all, so I tried specifying the context directly when the listener socket was created, and that requires specifying the errno, errstr, and flags values as well, so I tried that. Well it was a real rollercoaster. It still didn't call the notifier, but it did crash, and that's how I found this muddle. If I was clever I would have tried to fix it myself but I couldn't find out where the actual the problem was. /end of rant)


Anyway, I figured even though the problem only happens with incorrect values for the flags parameter, that I should report it anyway, just in case it's exploitable. I would have reported it yesterday but the bug reporting page seemed to be broken for hours, even though I kept trying again. Then I discovered that actually you just need cookies enabled for it to work. Ah well. Hope this stuff makes sense to someone.

Bye!~




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-15 00:06 UTC] felipe@php.net
Probably that will fix the crash:
http://felipe.ath.cx/diff/bug46082.diff (untested)
 [2008-10-24 10:46 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC