|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51288 null pointer deref when <methodName> is not set
Submitted: 2010-03-13 03:20 UTC Modified: 2010-11-16 21:35 UTC
From: Assigned: geissert
Status: Closed Package: XMLRPC-EPI related
PHP Version: Irrelevant OS: *
Private report: No CVE-ID: 2010-0397
 [2010-03-13 03:20 UTC]
This is CVE-2010-0397, originally reported by Auke van Slooten at

When processing an invalid (one without a <methodName>, required by the specs) XML-RPC request, the extension doesn't check for the NULL value returned by the xmlrpc library. This NULL is then passed to estrdup which dereferences the pointer, leading to a segmentation fault. This can easily be used to perform DoS attacks by crashing the server.

I've already notified, but since the issue is public there's no point in hiding it or the patch. The attached patch fixes the problem, which can also be found at:;a=blob;f=debian/patches/CVE-2010-0397.patch;h=186b2166644c066f28f1ffb9195ffa9f5744a604;hb=HEAD

Test script:
$method = '';
$req = '<?xml version="1.0"?><methodCall></methodCall>';
var_dump(xmlrpc_decode_request($req, $method));
echo "Done\n";

Expected result:

Actual result:
Segmentation fault


CVE-2009-3765 (last revision 2010-03-13 02:20 UTC) by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-13 03:20 UTC]
The following patch has been added/updated:

Patch Name: CVE-2009-3765
Revision:   1268446854
 [2010-03-13 18:00 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: geissert
 [2010-03-13 18:00 UTC]
Go ahead and commit it. :)
 [2010-03-13 19:39 UTC]
-Status: Assigned +Status: Closed
 [2010-03-13 19:39 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Hope I got the NEWS entry order right
 [2010-03-13 19:40 UTC]
Automatic comment from SVN on behalf of geissert
Log: Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests (bug #51288)
 [2010-11-16 00:01 UTC]
-CVE-ID: 2009-3765 +CVE-ID:
 [2010-11-16 00:02 UTC]
-Package: XMLRPC-EPI related +Package: Security related -CVE-ID: +CVE-ID: 2009-3765
 [2010-11-16 00:03 UTC]
-Private report: +Private report: N
 [2010-11-16 01:14 UTC]
-Private report: N +Private report: Y
 [2010-11-16 01:15 UTC]
-Private report: +Private report: Y
 [2010-11-16 21:28 UTC]
-Private report: +Private report: N -CVE-ID: 2009-3765 +CVE-ID: 2010-0397
 [2010-11-16 21:35 UTC]
-Package: Security related +Package: XMLRPC-EPI related
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Mon Nov 30 11:01:54 2015 UTC