php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52240 hash_copy() does not copy the HMAC key, causes wrong results and PHP crashes
Submitted: 2010-07-03 12:43 UTC Modified: 2010-07-03 15:06 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jakub at devsense dot com Assigned: felipe
Status: Closed Package: hash related
PHP Version: 5.3.2 OS: Windows
Private report: No CVE-ID:
 [2010-07-03 12:43 UTC] jakub at devsense dot com
Description:
------------
in ./ext/hash/hash.c, line 559

The hash_copy() function does not copy the hash->key field. It only copies the pointer. Because of hash_final() clears the key, the result of hash_final of copied hashing resource gives wrong results. It causes random PHP crashes too, because the pointer to the HMAC key can be invalid (released within the other hashing context).

Test script:
---------------
$h = hash_init('crc32b', HASH_HMAC, '123456' );
$h2 = hash_copy($h);
var_dump(hash_final($h));
var_dump(hash_final($h2));

echo '<-- These two results should be the same.';

Expected result:
----------------
string(8) "278af264" string(8) "278af264" <-- These two results should be the same.

Actual result:
--------------
string(8) "278af264" string(8) "07997b35" <-- These two results should be the same.

Patches

Database123. (last revision 2010-11-19 06:44 UTC) by sex_perversss at yahoo dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-03 15:06 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300972
Log: - Fixed bug #52240 (hash_copy() does not copy the HMAC key, causes wrong results and PHP crashes)
 [2010-07-03 15:06 UTC] felipe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2010-07-03 15:06 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC