php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49424 ldap_search segfault Apache procees
Submitted: 2009-08-31 15:53 UTC Modified: 2009-09-01 08:43 UTC
Votes:2
Avg. Score:4.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: jaroslav dot pulchart at centrum dot cz Assigned: patrickallaert (profile)
Status: Closed Package: LDAP related
PHP Version: 5.2.10 OS: *
Private report: No CVE-ID: None
 [2009-08-31 15:53 UTC] jaroslav dot pulchart at centrum dot cz
Description:
------------
Fix 48441 in PHP 5.2.10 (http://bugs.php.net/bug.php?id=48441) restore previous LDAP options, but it doesn't test if LDAP link pointer is NULL. This issue segfault Apache/PHP process.




Reproduce code:
---------------
ext/ldap/ldap.c
... 
ld = (ldap_linkdata *) zend_fetch_resource(link TSRMLS_CC, -1, "ldap link", NULL, 1, le_link);
if (ld == NULL) {
	ret = 0;
	goto cleanup;     /* "ld" is NULL !!!!!! */
}
...
cleanup: 
	// Restoring previous options
	php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);   /* set options on ld == NULL !!!!!!! */
...

Expected result:
----------------
No segfault ;)


cleanup: 

	if (ld!=NULL){
	// Restoring previous options
		php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);
	}


Actual result:
--------------
#0  0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, 
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2) at ./php-5.2.10/ext/ldap/ldap.c:909
909		php_set_opts(ld->link, old_ldap_sizelimit, old_ldap_timelimit, old_ldap_deref, &ldap_sizelimit, &ldap_timelimit, &ldap_deref);
(gdb) bt full
#0  0x0000002a9a546437 in php_ldap_do_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, scope=2)
    at ./php-5.2.10/ext/ldap/ldap.c:907
	link = (zval **) 0x2a997fd500
	base_dn = (zval **) 0x2a997fd508
	filter = (zval **) 0x2a997fd510
	attrs = (zval **) 0x2a997fd518
	attr = (zval **) 0x34
	attrsonly = (zval **) 0x2a997fd520
	sizelimit = (zval **) 0x2a997fd528
	timelimit = (zval **) 0x2a997fd530
	deref = (zval **) 0x2a98fb475d
	ldap_base_dn = 0x0
	ldap_filter = 0x2a9d41be10 "Array"
	ldap_attrs = (char **) 0x2a9d41bb88
	ld = (ldap_linkdata *) 0x0
	ldap_res = (LDAPMessage *) 0x8
	ldap_attrsonly = 0
	ldap_sizelimit = 0
	ldap_timelimit = 0
	ldap_deref = -1
	old_ldap_sizelimit = -1
	old_ldap_timelimit = -1
	old_ldap_deref = -1
	num_attribs = 0
	i = 0
	myargcount = 7
	ret = 0
#1  0x0000002a9a54655c in zif_ldap_search (ht=7, return_value=0x2a9d41bda0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at ./php-5.2.10/ext/ldap/ldap.c:936
No locals.
#2  0x0000002a98fd4b6e in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#3  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#4  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#5  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#6  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#7  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#8  0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#9  0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#10 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#11 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#12 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#13 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#14 0x0000002a98fe317c in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#15 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#16 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#17 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#18 0x0000002a98fd4483 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#19 0x0000002a98fd4181 in execute () from ./apache/modules/libphp5.so
No symbol table info available.
#20 0x0000002a98fb5214 in zend_execute_scripts () from ./apache/modules/libphp5.so
No symbol table info available.
#21 0x0000002a98f723ad in php_execute_script () from ./apache/modules/libphp5.so
No symbol table info available.
#22 0x0000002a990443e6 in zend_get_zval_ptr_ptr () from ./apache/modules/libphp5.so
No symbol table info available.
#23 0x0000000000435c63 in ap_run_handler ()
No symbol table info available.
#24 0x0000000000436101 in ap_invoke_handler ()
No symbol table info available.
#25 0x0000000000442860 in ap_process_request ()
No symbol table info available.
#26 0x000000000043ffad in ap_filter_protocol ()
No symbol table info available.
#27 0x000000000043c653 in ap_run_process_connection ()
No symbol table info available.
#28 0x0000000000446970 in ap_graceful_stop_signalled ()
No symbol table info available.
#29 0x0000000000446b94 in ap_graceful_stop_signalled ()
No symbol table info available.
#30 0x0000000000446c2e in ap_graceful_stop_signalled ()
No symbol table info available.
#31 0x000000000044743d in ap_mpm_run ()
No symbol table info available.
#32 0x00000000004237e5 in main ()
No symbol table info available.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-31 18:51 UTC] jani@php.net
Who breaks should fix. :)
 [2009-09-01 08:42 UTC] svn@php.net
Automatic comment from SVN on behalf of patrickallaert
Revision: http://svn.php.net/viewvc/?view=revision&revision=287936
Log: Fixing #49424 (#48696): segfault while using ldap_search(), ldap_read(),...
 [2009-09-01 08:43 UTC] patrickallaert@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

This is same as #48696, however, it has been fixed for PHP 5.3/6, not for 5.2.

This is fixed right now.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 08 02:05:49 2023 UTC