|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50540 Segmentation fault while running ldap_next_reference
Submitted: 2009-12-21 09:29 UTC Modified: 2009-12-21 20:40 UTC
From: sriram dot natarajan at gmail dot com Assigned: srinatar
Status: Closed Package: LDAP related
PHP Version: 5.2SVN-2009-12-21 (snap) OS: RHEL5.2
Private report: No CVE-ID:
 [2009-12-21 09:29 UTC] sriram dot natarajan at gmail dot com
found segmentation fault on free with invalid pointer while running 
php ldap unit test cases on Redhat enterprise linux 5.2 (64-bit)

PASS ldap_next_attribute() - Testing ldap_next_attribute() that should 
fail [ext/ldap/tests/ldap_next_attribute_error.phpt]
PASS ldap_next_entry() - Basic ldap_first_entry test 
PASS ldap_next_entry() - Testing ldap_next_entry() that should fail 
*** glibc detected *** /export/home/sriramn/php/sapi/cli/php: free(): 
invalid pointer: 0x00007fffe402f898 ***
======= Backtrace: =========

note: i haven't tried this on 32-bit. here, php is compiled in 32-bit.

Reproduce code:
- enable ldap server from RHEL 5.2 (64-bit)
- enable ldap server to run as root with secret as rootpw
- running php ldap unit test case causes segv.

Expected result:
- test pass successfully

Actual result:
- segv seen while running ldap_next_entry_*phpt


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-21 09:33 UTC]
analyzing the core dump, got some more info..

#0  0x0000003662e0675d in ber_free () from /usr/lib64/
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
#3  0x00000000006dbe0b in zend_hash_del_key_or_index (ht=0xaa99a8, 
arKey=0x0, nKeyLength=0, h=7, flag=1)
    at /export/home/sriramn/php/Zend/zend_hash.c:497
#4  0x00000000006de116 in _zend_list_delete (id=7) at 
#5  0x00000000006cd79f in _zval_dtor_func (zvalue=0x94873e0) at 
#6  0x00000000006bf1d8 in _zval_dtor (zvalue=0x94873e0) at 
#7  0x00000000006bf3e0 in _zval_ptr_dtor (zval_ptr=0x9488ac0) at 
#8  0x00000000006dc21b in zend_hash_apply_deleter (ht=0xaa98a8, 
p=0x9488aa8) at /export/home/sriramn/php/Zend/zend_hash.c:611
#9  0x00000000006dc30d in zend_hash_graceful_reverse_destroy 
(ht=0xaa98a8) at /export/home/sriramn/php/Zend/zend_hash.c:646
#10 0x00000000006beedc in shutdown_executor () at 
#11 0x00000000006cee43 in zend_deactivate () at 
#12 0x000000000067c99d in php_request_shutdown (dummy=0x0) at 
#13 0x000000000074d7ef in main (argc=57, argv=0x7fff248479c8) at 

#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
223                     ber_free(entry->ber, 0);
(gdb) p *entry
$10 = {data = 0x94adf20, ber = 0x3d63642c6e69616d, id = 6}
(gdb) up
#2  0x00000000006de62a in list_entry_destructor (ptr=0x94873a0) at 
184                                             ld->list_dtor_ex(le 
(gdb) ptype ld
type = struct _zend_rsrc_list_dtors_entry {
    void (*list_dtor)(void *);
    void (*plist_dtor)(void *);
    rsrc_dtor_func_t list_dtor_ex;
    rsrc_dtor_func_t plist_dtor_ex;
    char *type_name;
    int module_number;
    int resource_id;
    unsigned char type;
} *   
#1  0x00000000004e0ba2 in _free_ldap_result_entry (rsrc=0x94873a0) at 
223                     ber_free(entry->ber, 0);
(gdb) ptype entry
type = struct {
    LDAPMessage *data;
    BerElement *ber;
    int id;
} *   

 [2009-12-21 11:29 UTC]
Exactly what openldap version have you compiled PHP with?
 [2009-12-21 18:15 UTC] sriram dot natarajan at gmail dot com
sriramn@memcache]'php'>rpm -qa | grep openldap

ldap version is the default version that is shipped within RHEL 5.2.
 [2009-12-21 19:16 UTC]
changed the synopsis of the bug from Segmentation fault with 
"free:invalid pointer while running ldap unit tests

core dump while running ldap_next_reference test cases.

i am testing a patch that addresses this issue.
 [2009-12-21 20:39 UTC]
Automatic comment from SVN on behalf of srinatar
Log: Fixed bug #50540 (Crash within ldap_first_reference function)
 [2009-12-21 20:40 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 03:01:32 2015 UTC