php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48133 SNMP functions cause segfault
Submitted: 2009-05-02 19:19 UTC Modified: 2009-05-02 21:14 UTC
From: joffrey at ne2000 dot nl Assigned:
Status: Closed Package: SNMP related
PHP Version: 5.3, 6CVS (2009-05-02) OS: Linux
Private report: No CVE-ID: None
 [2009-05-02 19:19 UTC] joffrey at ne2000 dot nl
Description:
------------
Using SNMP will cause a segfault.

Tested with 5.2.9, 5.3.0RC1 and 5.3CVS(2009-05-02).

PHP 5.2.9: works correctly
5.3.0RC1 and 5.3CVS: broken

This issue could be related to #45405.

Tested using cli using -n on a clean install of CentOS5.2 x86_64 with all updates and required development libs and removed all non-x86_64 arch-specific packages.

Compiled with: --enbale-debug --enable-snmp=/usr

Reproduce code:
---------------
echo snmpget('localhost', 'public', 'sysDescr.0');

Expected result:
----------------
STRING: Linux phptest 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:10:25 EDT 2009 x86_64

Actual result:
--------------
[root@phptest cli]# gdb ./php
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) run -n -r "echo snmpget('localhost', 'public', 'sysDescr.0');"
Starting program: /root/php-5.3.0RC1/sapi/cli/php -n -r "echo snmpget('localhost', 'public', 'sysDescr.0');"
[Thread debugging using libthread_db enabled]
[New Thread 0x2b88b101a7c0 (LWP 20328)]
*** glibc detected *** /root/php-5.3.0RC1/sapi/cli/php: double free or corruption (!prev): 0x000000000ee53200 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3c94e71ce2]
/lib64/libc.so.6(cfree+0x8c)[0x3c94e7590c]
/root/php-5.3.0RC1/sapi/cli/php[0x5f433f]
/root/php-5.3.0RC1/sapi/cli/php[0x5f5146]
/root/php-5.3.0RC1/sapi/cli/php[0x5f5194]
/root/php-5.3.0RC1/sapi/cli/php[0x7cc762]
/root/php-5.3.0RC1/sapi/cli/php[0x7d21c5]
/root/php-5.3.0RC1/sapi/cli/php(execute+0x333)[0x7cb9ae]
/root/php-5.3.0RC1/sapi/cli/php(zend_eval_string+0x1b5)[0x78d204]
/root/php-5.3.0RC1/sapi/cli/php(zend_eval_string_ex+0x28)[0x78d3af]
/root/php-5.3.0RC1/sapi/cli/php[0x885f4f]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3c94e1d974]
/root/php-5.3.0RC1/sapi/cli/php(realloc+0x481)[0x41e279]
======= Memory map: ========
00400000-00bc8000 r-xp 00000000 fd:00 97790                              /root/php-5.3.0RC1/sapi/cli/php
00dc8000-00dd4000 rw-p 007c8000 fd:00 97790                              /root/php-5.3.0RC1/sapi/cli/php
00dd4000-00dee000 rw-p 00dd4000 00:00 0
0ebf5000-0ee73000 rw-p 0ebf5000 00:00 0                                  [heap]
3c94a00000-3c94a1c000 r-xp 00000000 fd:00 133736                         /lib64/ld-2.5.so
3c94c1b000-3c94c1c000 r--p 0001b000 fd:00 133736                         /lib64/ld-2.5.so
3c94c1c000-3c94c1d000 rw-p 0001c000 fd:00 133736                         /lib64/ld-2.5.so
3c94e00000-3c94f4c000 r-xp 00000000 fd:00 133737                         /lib64/libc-2.5.so
3c94f4c000-3c9514c000 ---p 0014c000 fd:00 133737                         /lib64/libc-2.5.so
3c9514c000-3c95150000 r--p 0014c000 fd:00 133737                         /lib64/libc-2.5.so
3c95150000-3c95151000 rw-p 00150000 fd:00 133737                         /lib64/libc-2.5.so
3c95151000-3c95156000 rw-p 3c95151000 00:00 0
3c95200000-3c95202000 r-xp 00000000 fd:00 133738                         /lib64/libdl-2.5.so
3c95202000-3c95402000 ---p 00002000 fd:00 133738                         /lib64/libdl-2.5.so
3c95402000-3c95403000 r--p 00002000 fd:00 133738                         /lib64/libdl-2.5.so
3c95403000-3c95404000 rw-p 00003000 fd:00 133738                         /lib64/libdl-2.5.so
3c95600000-3c95682000 r-xp 00000000 fd:00 133742                         /lib64/libm-2.5.so
3c95682000-3c95881000 ---p 00082000 fd:00 133742                         /lib64/libm-2.5.so
3c95881000-3c95882000 r--p 00081000 fd:00 133742                         /lib64/libm-2.5.so
3c95882000-3c95883000 rw-p 00082000 fd:00 133742                         /lib64/libm-2.5.so
3c95a00000-3c95a90000 r-xp 00000000 fd:00 206002                         /usr/lib64/libnetsnmp.so.10.0.3
3c95a90000-3c95c8f000 ---p 00090000 fd:00 206002                         /usr/lib64/libnetsnmp.so.10.0.3
3c95c8f000-3c95c93000 rw-p 0008f000 fd:00 206002                         /usr/lib64/libnetsnmp.so.10.0.3
3c95c93000-3c95cc7000 rw-p 3c95c93000 00:00 0
3c96600000-3c96614000 r-xp 00000000 fd:00 230464                         /usr/lib64/libz.so.1.2.3
3c96614000-3c96813000 ---p 00014000 fd:00 230464                         /usr/lib64/libz.so.1.2.3
3c96813000-3c96814000 rw-p 00013000 fd:00 230464                         /usr/lib64/libz.so.1.2.3
3c96a00000-3c96a07000 r-xp 00000000 fd:00 133744                         /lib64/librt-2.5.so
3c96a07000-3c96c07000 ---p 00007000 fd:00 133744                         /lib64/librt-2.5.so
3c96c07000-3c96c08000 r--p 00007000 fd:00 133744                         /lib64/librt-2.5.so
3c96c08000-3c96c09000 rw-p 00008000 fd:00 133744                         /lib64/librt-2.5.so
3c96e00000-3c96e0d000 r-xp 00000000 fd:00 133745                         /lib64/libgcc_s-4.1.2-20080825.so.1
3c96e0d000-3c9700d000 ---p 0000d000 fd:00 133745                         /lib64/libgcc_s-4.1.2-20080825.so.1
3c9700d000-3c9700e000 rw-p 0000d000 fd:00 133745                         /lib64/libgcc_s-4.1.2-20080825.so.1
3c97200000-3c97215000 r-xp 00000000 fd:00 387260                         /lib64/libnsl-2.5.so
3c97215000-3c97414000 ---p 00015000 fd:00 387260                         /lib64/libnsl-2.5.so
3c97414000-3c97415000 r--p 00014000 fd:00 387260                         /lib64/libnsl-2.5.so
3c9741500
Program received signal SIGABRT, Aborted.
0x0000003c94e30215 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003c94e30215 in raise () from /lib64/libc.so.6
#1  0x0000003c94e31cc0 in abort () from /lib64/libc.so.6
#2  0x0000003c94e6a7fb in __libc_message () from /lib64/libc.so.6
#3  0x0000003c94e71ce2 in _int_free () from /lib64/libc.so.6
#4  0x0000003c94e7590c in free () from /lib64/libc.so.6
#5  0x00000000005f433f in php_snmp_internal (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, session=0x7ffff9ec0e00, objid=0xee300e8 "sysDescr.0", type=0 '\0', value=0x0)
    at /root/php-5.3.0RC1/ext/snmp/snmp.c:658
#6  0x00000000005f5146 in php_snmp (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, version=0) at /root/php-5.3.0RC1/ext/snmp/snmp.c:854
#7  0x00000000005f5194 in zif_snmpget (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/php-5.3.0RC1/ext/snmp/snmp.c:862
#8  0x00000000007cc762 in zend_do_fcall_common_helper_SPEC (execute_data=0x2b88b4899090) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:313
#9  0x00000000007d21c5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b88b4899090) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:1616
#10 0x00000000007cb9ae in execute (op_array=0xee2f700) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:104
#11 0x000000000078d204 in zend_eval_string (str=0x7ffff9ec1be0 "echo snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0, string_name=0xb6e87c "Command line code") at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1157
#12 0x000000000078d3af in zend_eval_string_ex (str=0x7ffff9ec1be0 "echo snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0, string_name=0xb6e87c "Command line code", handle_exceptions=1)
    at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1192
#13 0x0000000000885f4f in main (argc=4, argv=0x7ffff9ec1878) at /root/php-5.3.0RC1/sapi/cli/php_cli.c:1198
(gdb) frame 0
#0  0x0000003c94e30215 in raise () from /lib64/libc.so.6
(gdb) frame 1
#1  0x0000003c94e31cc0 in abort () from /lib64/libc.so.6
(gdb) frame 2
#2  0x0000003c94e6a7fb in __libc_message () from /lib64/libc.so.6
(gdb) frame 3
#3  0x0000003c94e71ce2 in _int_free () from /lib64/libc.so.6
(gdb) frame 4
#4  0x0000003c94e7590c in free () from /lib64/libc.so.6
(gdb) frame 5
#5  0x00000000005f433f in php_snmp_internal (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, session=0x7ffff9ec0e00, objid=0xee300e8 "sysDescr.0", type=0 '\0', value=0x0)
    at /root/php-5.3.0RC1/ext/snmp/snmp.c:658
658                                                     snmp_free_pdu(pdu);
(gdb) frame 6
#6  0x00000000005f5146 in php_snmp (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, st=1, version=0) at /root/php-5.3.0RC1/ext/snmp/snmp.c:854
854             php_snmp_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, st, &session, a3, type, value);
(gdb) frame 7
#7  0x00000000005f5194 in zif_snmpget (ht=3, return_value=0xee30148, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /root/php-5.3.0RC1/ext/snmp/snmp.c:862
862             php_snmp(INTERNAL_FUNCTION_PARAM_PASSTHRU,SNMP_CMD_GET, SNMP_VERSION_1);
(gdb) frame 8
#8  0x00000000007cc762 in zend_do_fcall_common_helper_SPEC (execute_data=0x2b88b4899090) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:313
313                             ((zend_internal_function *) EX(function_state).function)->handler(opline->extended_value, EX_T(opline->result.u.var).var.ptr, EX(function_state).function->common.return_reference?&EX_T(opline->result.u.var).var.ptr:NULL, EX(object), RETURN_VALUE_USED(opline) TSRMLS_CC);
(gdb) frame 9
#9  0x00000000007d21c5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2b88b4899090) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:1616
1616            return zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 10
#10 0x00000000007cb9ae in execute (op_array=0xee2f700) at /root/php-5.3.0RC1/Zend/zend_vm_execute.h:104
104                     if ((ret = EX(opline)->handler(execute_data TSRMLS_CC)) > 0) {
(gdb) frame 11
#11 0x000000000078d204 in zend_eval_string (str=0x7ffff9ec1be0 "echo snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0, string_name=0xb6e87c "Command line code") at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1157
1157                    zend_execute(new_op_array TSRMLS_CC);
(gdb) frame 12
#12 0x000000000078d3af in zend_eval_string_ex (str=0x7ffff9ec1be0 "echo snmpget('localhost', 'public', 'sysDescr.0');", retval_ptr=0x0, string_name=0xb6e87c "Command line code", handle_exceptions=1)
    at /root/php-5.3.0RC1/Zend/zend_execute_API.c:1192
1192            result = zend_eval_string(str, retval_ptr, string_name TSRMLS_CC);
(gdb) frame 13
#13 0x0000000000885f4f in main (argc=4, argv=0x7ffff9ec1878) at /root/php-5.3.0RC1/sapi/cli/php_cli.c:1198
1198                            if (zend_eval_string_ex(exec_direct, NULL, "Command line code", 1 TSRMLS_CC) == FAILURE) {
(gdb)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-02 21:14 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Nov 13 22:01:29 2019 UTC