php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50722 Memory corruption / SegFault with WSDL in-memory cache
Submitted: 2010-01-11 17:51 UTC Modified: 2010-01-14 23:30 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (33.3%)
From: meatloafninja at gmail dot com Assigned:
Status: Open Package: SOAP related
PHP Version: 5.2.12 OS: CentOS 5.x
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
11 + 10 = ?
Subscribe to this entry?

 
 [2010-01-11 17:51 UTC] meatloafninja at gmail dot com
Description:
------------
If you enable WSDL caching and set the cache type to 2 (memory) or 3 (both disk and memory), and create a SoapServer with a WSDL, and within the context of that SoapServer create multiple SoapClient connections to external web services with WSDLs (exceeding the soap.wsdl_cache_limit setting), the SoapServer's in-memory copy of its own WSDL will get removed / freed.

This causes a segmentation fault of the web server child process or a corrupt / invalid XML response, as the SoapServer will be unable to access its own WSDL when the time comes to send its response to the original requesting client.

The SoapServer WSDL should be protected from removal.



Reproduce code:
---------------
<?php
ini_set('soap.wsdl_cache_enabled', 1);
ini_set('soap.wsdl_cache', 3);

function test($x)
{
    $client1 = new SoapClient("http://some.other.host/client1.wsdl");
    $client2 = new SoapClient("http://some.other.host/client2.wsdl");
    $client3 = new SoapClient("http://some.other.host/client3.wsdl");
    $client4 = new SoapClient("http://some.other.host/client4.wsdl");
    $client5 = new SoapClient("http://some.other.host/client5.wsdl");

    return $x; //web server segfaults or corrupt XML returned
}

$server = new SoapServer("server.wsdl");
$server->addFunction("test");
$server->handle();
?>

Expected result:
----------------
A valid XML response as defined by server.wsdl.

Actual result:
--------------
Either a segmentation fault on the web server and a "Could not fetch HTTP headers" error on the client, or a corrupted XML response.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-11 20:48 UTC] srinatar@php.net
sounds similar to bug #50675 (See Also)
 [2010-01-13 13:34 UTC] srinatar@php.net
thanks for taking time to report this issue to us. can u please try to 
reproduce this issue with the latest snapshot. i am currently not able 
to reproduce with the latest snapshot. 

you can get the latest snapshot php source from

http://snaps.php.net/

For Windows:

http://windows.php.net/snapshots/


 [2010-01-14 23:30 UTC] meatloafninja at gmail dot com
It is not fixed, I can still reproduce the segmentation fault with the snapshot version.
 [2016-11-02 23:02 UTC] gcarrette at wayfair dot com
Experienced this bug in PHP 7.0.12 and
posted a script to reproduce in Bug #71931
since that has a lot more recent activity.
My backtrace was

Program received signal SIGSEGV, Segmentation fault.
#0  zend_hash_destroy (ht=0x24dec60) at php-7.0.12/Zend/zend_hash.c:1278
#1  0x000000000061720e in delete_type_persistent (zv=<optimized out>) at php-7.0.12/ext/soap/php_schema.c:2459
#2  0x000000000072f2dd in zend_hash_destroy (ht=0x2e23850) at php-7.0.12/Zend/zend_hash.c:1265
#3  0x000000000061e2a1 in delete_psdl_int (p=<optimized out>)  at php-7.0.12/ext/soap/php_sdl.c:3130
#4  0x000000000061e30f in delete_psdl (zv=0x23b9c30) at php-7.0.12/ext/soap/php_sdl.c:3150
#5  0x000000000072f221 in zend_hash_destroy (ht=0x11652a0) at php-7.0.12/Zend/zend_hash.c:1284
#6  0x00000000005ef729 in zm_shutdown_soap (type=<optimized out>, module_number=23) at php-7.0.12/ext/soap/soap.c:598
#7  0x00000000007252f3 in module_destructor (module=module@entry=0xf468c0) at php-7.0.12/Zend/zend_API.c:2503
#8  0x000000000071de4c in module_destructor_zval (zv=<optimized out>) at php-7.0.12/Zend/zend.c:615
#9  0x000000000072fd48 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=<optimized out>, ht=<optimized out>) at php-7.0.12/Zend/zend_hash.c:1026
#10 _zend_hash_del_el (p=0xf23500, idx=22, ht=0xf15e60 <module_registry>) at php-7.0.12/Zend/zend_hash.c:1050
#11 zend_hash_graceful_reverse_destroy (ht=ht@entry=0xf15e60 <module_registry>) at php-7.0.12/Zend/zend_hash.c:1502
#12 0x000000000072372c in zend_destroy_modules () at php-7.0.12/Zend/zend_API.c:1982
#13 0x000000000071edb5 in zend_shutdown () at php-7.0.12/Zend/zend.c:840
#14 0x00000000006c340b in php_module_shutdown () at php-7.0.12/main/main.c:2362
#15 0x0000000000435855 in main (argc=3, argv=0xf19c80) at php-7.0.12/sapi/cli/php_cli.c:135
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 17:01:32 2020 UTC