php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49052 context option headers freed too early when using --with-curlwrappers
Submitted: 2009-07-25 03:11 UTC Modified: 2009-07-25 13:00 UTC
From: janisjaunsudrabins at yahoo dot com Assigned: jani
Status: Closed Package: cURL related
PHP Version: 5.2.10 OS: Linux
Private report: No CVE-ID:
 [2009-07-25 03:11 UTC] janisjaunsudrabins at yahoo dot com
Description:
------------
php segfaults, it appears that problem is caused by code in ext/curl/streams.c:495

if (slist) {
                curl_slist_free_all(slist);
        }

the list is freed too soon and it eventualy results in segfault in libc strncasecmp down the road.

here is back trace:

#0  0xb7bf74fd in strncasecmp () from /lib/libc.so.6
(gdb) bt all
No symbol "all" in current context.
(gdb) bt full
#0  0xb7bf74fd in strncasecmp () from /lib/libc.so.6
No symbol table info available.
#1  0xb7ac03a4 in curl_strnequal (first=0x0, second=0xb7acb921 "User-Agent:", max=11) at strequal.c:64
No locals.
#2  0xb7aa7795 in checkheaders (data=<value optimized out>, thisheader=0xb7acb921 "User-Agent:") at http.c:119
        head = (struct curl_slist *) 0x84ed130
        thislen = 11
#3  0xb7aa82f3 in Curl_http (conn=0x84ed330, done=0xbf872e68) at http.c:1784
        data = (struct SessionHandle *) 0x84e4028
        buf = <value optimized out>
        result = <value optimized out>
        http = (struct HTTP *) 0x84eddb0
        ppath = 0x84ed660 "/"
        host = 0x84ed768 "www.example.com"
        te = <value optimized out>
        ptr = <value optimized out>
        request = 0xb7acb918 "GET"
        httpreq = HTTPREQ_GET
        addcookies = <value optimized out>
        included_body = 47244640256
#4  0xb7ab3dc1 in Curl_do (connp=0x84ed18c, done=0xbf872e68) at url.c:4285
        result = <value optimized out>
        conn = (struct connectdata *) 0x84ed330
        data = (struct SessionHandle *) 0x84e4028
#5  0xb7ac30ec in multi_runsingle (multi=0x84ec570, easy=0x84ed180) at multi.c:1076
        disconnect_conn = <value optimized out>
        connected = 191
        async = 135
        protocol_connect = false
        dophase_done = true
        done = false
        result = CURLM_OK
#6  0xb7ac43ff in curl_multi_perform (multi_handle=0x84ec570, running_handles=0x84af9b4) at multi.c:1452
        result = <value optimized out>
        multi = (struct Curl_multi *) 0x0
        easy = (struct Curl_one_easy *) 0x84ed180
        returncode = CURLM_OK
        t = <value optimized out>
#7  0xb7ae3823 in php_curl_stream_read () from /usr/lib/php/extensions/curl.so
No locals.
#8  0x081b6aa4 in php_stream_fill_read_buffer ()
No locals.
#9  0x081b6d31 in _php_stream_read ()
No locals.
#10 0x081b7552 in _php_stream_passthru ()
No locals.
#11 0x0813a5a5 in zif_fpassthru ()
No locals.
#12 0x0820ae1a in zend_do_fcall_common_helper_SPEC ()
No locals.
#13 0x08209d2f in execute ()
No locals.
#14 0x081e8070 in zend_execute_scripts ()
No locals.
#15 0x081a00c3 in php_execute_script ()
No locals.
#16 0x082728ce in main ()

while looking at the code i also noticed that stream_context_create does contradict documentation regarding setting HTTP headers for PHP <= 5.2.10;

documentation states that headers should be passed as string but code expects it to be hash so it just ignores the passed headers.

can somebody with more knowledge of curl extension check this out please check this out?

Reproduce code:
---------------
<?php
$opts = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: foo=bar\r\n"
  )
);

$context = stream_context_create($opts);

/* Sends an http request to www.example.com
   with additional headers shown above */
$fp = fopen('http://www.example.com', 'r', false, $context);
fpassthru($fp);
fclose($fp);
?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-25 10:58 UTC] jani@php.net
One problem per report please. I'm assuming you compiled with 
experimental --with-curlwrappers ? (I know it does not say so in 
./configure --help but it really is experimental at best..)
 [2009-07-25 11:35 UTC] jani@php.net
Apparently fixing bug #45092 caused this problem.

 [2009-07-25 13:00 UTC] svn@php.net
Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=284747
Log: - Fixed bug #49052 (context option headers freed too early when using --with-curlwrappers)
 [2009-07-25 13:00 UTC] jani@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 07:02:02 2014 UTC