php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50212 SEGV by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT
Submitted: 2009-11-18 01:29 UTC Modified: 2009-11-18 13:37 UTC
From: shigeru_kitazaki at cybozu dot co dot jp Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.3.0 OS: Linux
Private report: No CVE-ID:
 [2009-11-18 01:29 UTC] shigeru_kitazaki at cybozu dot co dot jp
Description:
------------
NULL pointer access occurs to get option value when no option value is set on LDAP_OPT_NETWORK_TIMEOUT.
ldap_get_option() of OpenLDAP returns success when no value is set,
which is implemented in libraries/libldap/options.c of OpenLDAP source tree.
But original PHP source code try to access property value.
Here is the patch to resolve this.

diff -Nrub php-5.3.0/ext/ldap/ldap.c php-5.3.0.ldap/ext/ldap/ldap.c
--- php-5.3.0/ext/ldap/ldap.c	2009-06-26 00:19:29.000000000 +0900
+++ php-5.3.0.ldap/ext/ldap/ldap.c	2009-11-17 18:19:20.000000000 +0900
@@ -1619,9 +1619,13 @@
 				}
 				RETURN_FALSE;
 			}		       
+			if (timeout) {
 			zval_dtor(retval);
 			ZVAL_LONG(retval, timeout->tv_sec);
 			ldap_memfree(timeout);
+			} else {
+				RETURN_FALSE;
+			}
 		} break;
 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
 	case LDAP_X_OPT_CONNECT_TIMEOUT:

Although manual page of ldap.constants says LDAP_OPT_NETWORK_TIMEOUT is the option for ldap_set_option(),
the parameter is also available on function.ldap-get-option.

Reproduce code:
---------------
<?php
$host = "localhost";
$conn = ldap_connect($host);
ldap_get_option($conn, LDAP_OPT_NETWORK_TIMEOUT, $val);

Actual result:
--------------
Segmentation fault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-18 04:03 UTC] srinatar@php.net
thanks for trying it out and providing us the patch. 

i have changed the patch to be some thing like below
Index: ext/ldap/ldap.c
===================================================================
--- ext/ldap/ldap.c     (revision 290898)
+++ ext/ldap/ldap.c     (working copy)
@@ -1592,6 +1592,8 @@
                                RETURN_FALSE;
                        }                      
                        zval_dtor(retval);
+                       if (!timeout)
+                               RETURN_FALSE;
                        ZVAL_LONG(retval, timeout->tv_sec);
                        ldap_memfree(timeout);
                } break;

--- /dev/null   2009-11-15 17:50:37.203856521 -0800
+++ ext/ldap/tests/ldap_get_option_timeout.phpt 2009-11-17 
19:58:38.000000000 -0800
@@ -0,0 +1,20 @@
+--TEST--
+ldap_get_option() - Basic ldap_get_option() operation
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+require "connect.inc";
+
+$link = ldap_connect($host, $port);
+$option = null;
+var_dump(
+       ldap_get_option($link, LDAP_OPT_NETWORK_TIMEOUT, $option),
+       $option
+);
+?>
+===DONE===
+--EXPECT--
+bool(true)
+int(3)
+===DONE===


I don't have any ldap server running. so, i will hope some one can 
verify if this above test is running fine before they can commit it

see also bug #42837 (http://bugs.php.net/bug.php?id=42837). 
 [2009-11-18 13:37 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=290913
Log: Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT).
 [2009-11-18 13:37 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC