php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50212 SEGV by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT
Submitted: 2009-11-18 01:29 UTC Modified: 2009-11-18 13:37 UTC
From: shigeru_kitazaki at cybozu dot co dot jp Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.3.0 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: shigeru_kitazaki at cybozu dot co dot jp
New email:
PHP Version: OS:

 

 [2009-11-18 01:29 UTC] shigeru_kitazaki at cybozu dot co dot jp
Description:
------------
NULL pointer access occurs to get option value when no option value is set on LDAP_OPT_NETWORK_TIMEOUT.
ldap_get_option() of OpenLDAP returns success when no value is set,
which is implemented in libraries/libldap/options.c of OpenLDAP source tree.
But original PHP source code try to access property value.
Here is the patch to resolve this.

diff -Nrub php-5.3.0/ext/ldap/ldap.c php-5.3.0.ldap/ext/ldap/ldap.c
--- php-5.3.0/ext/ldap/ldap.c	2009-06-26 00:19:29.000000000 +0900
+++ php-5.3.0.ldap/ext/ldap/ldap.c	2009-11-17 18:19:20.000000000 +0900
@@ -1619,9 +1619,13 @@
 				}
 				RETURN_FALSE;
 			}		       
+			if (timeout) {
 			zval_dtor(retval);
 			ZVAL_LONG(retval, timeout->tv_sec);
 			ldap_memfree(timeout);
+			} else {
+				RETURN_FALSE;
+			}
 		} break;
 #elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
 	case LDAP_X_OPT_CONNECT_TIMEOUT:

Although manual page of ldap.constants says LDAP_OPT_NETWORK_TIMEOUT is the option for ldap_set_option(),
the parameter is also available on function.ldap-get-option.

Reproduce code:
---------------
<?php
$host = "localhost";
$conn = ldap_connect($host);
ldap_get_option($conn, LDAP_OPT_NETWORK_TIMEOUT, $val);

Actual result:
--------------
Segmentation fault

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-18 04:03 UTC] srinatar@php.net
thanks for trying it out and providing us the patch. 

i have changed the patch to be some thing like below
Index: ext/ldap/ldap.c
===================================================================
--- ext/ldap/ldap.c     (revision 290898)
+++ ext/ldap/ldap.c     (working copy)
@@ -1592,6 +1592,8 @@
                                RETURN_FALSE;
                        }                      
                        zval_dtor(retval);
+                       if (!timeout)
+                               RETURN_FALSE;
                        ZVAL_LONG(retval, timeout->tv_sec);
                        ldap_memfree(timeout);
                } break;

--- /dev/null   2009-11-15 17:50:37.203856521 -0800
+++ ext/ldap/tests/ldap_get_option_timeout.phpt 2009-11-17 
19:58:38.000000000 -0800
@@ -0,0 +1,20 @@
+--TEST--
+ldap_get_option() - Basic ldap_get_option() operation
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+require "connect.inc";
+
+$link = ldap_connect($host, $port);
+$option = null;
+var_dump(
+       ldap_get_option($link, LDAP_OPT_NETWORK_TIMEOUT, $option),
+       $option
+);
+?>
+===DONE===
+--EXPECT--
+bool(true)
+int(3)
+===DONE===


I don't have any ldap server running. so, i will hope some one can 
verify if this above test is running fine before they can commit it

see also bug #42837 (http://bugs.php.net/bug.php?id=42837). 
 [2009-11-18 13:37 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=290913
Log: Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT).
 [2009-11-18 13:37 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 07 21:01:27 2024 UTC