|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55395 php soap extension passes unsafe zvals to user functions, corrupting memory
Submitted: 2011-08-11 03:12 UTC Modified: 2017-10-24 07:57 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: askalski at gmail dot com Assigned:
Status: Open Package: SOAP related
PHP Version: 5.4SVN-2011-08-11 (snap) OS: linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-08-11 03:12 UTC] askalski at gmail dot com
The PHP SOAP extension passes unsafe zvals as arguments to user functions (for example, __doRequest.)  If that user function saves a reference to those zvals, it leads to memory corruption, generally resulting in a segmentation fault.

Two example problems from ext/soap/soap.c.  The whole SOAP extension needs to be audited for this:

(1) Allocating a zval on the stack, then passing a pointer to that zval into a user function:
  zval param0;
  params[0] = &param0;
  call_user_function(..., params ...);

(2) Failing to duplicate string buffers:

  // 'buf' is freed while references to its zval potentially still exist
  xmlDocDumpMemory(request, (xmlChar**)&buf, &buf_size);
  ZVAL_STRINGL(params[0], buf, buf_size, 0); // needs to be ", 1);"
  call_user_function(..., params ...);

  static int do_request(..., char *location, ...) {
      // 'location' is malloc memory that may be freed before the zval
      ZVAL_STRING(params[1], location, 0); // needs to be ", 1);"
      call_user_function(..., params ...);

Test script:
class CorruptSoap extends SoapClient {
        function __doRequest($request, $location, $action, $version, $one_way) {
                global $params;
                $params = array(
                        'request' => $request,
                        'location' => $location,
                        'action' => $action,
                        'version' => $version,
                        'one_way' => $one_way);
                debug_zval_dump($params); // Before
                return "";
$x = new CorruptSoap(NULL, array('location' => 'http://location/', 'uri' => 'http://uri/'));
debug_zval_dump($params); // After

Expected result:
The before/after debug_zval_dump output should look the same, with slightly different (but valid) reference counts.

Actual result:
Before the stack gets smashed:

    array(5) refcount(1){
      string(375) "<?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="" xmlns:ns1="http://uri/" xmlns:xsd="" xmlns:SOAP-ENC="" SOAP-ENV:encodingStyle=""><SOAP-ENV:Body><ns1:Test/></SOAP-ENV:Body></SOAP-ENV:Envelope>
    " refcount(5)
      string(16) "http://location/" refcount(5)
      string(16) "http://uri/#Test" refcount(5)
      long(1) refcount(5)
      long(0) refcount(5)

After the stack has been smashed:

    array(5) refcount(2){
      NULL refcount(0)
      NULL refcount(0)
      NULL refcount(0)
      NULL refcount(10153504)
      NULL refcount(0)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-12 01:19 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2017-10-24 07:57 UTC]
-Status: Assigned +Status: Open -Assigned To: dmitry +Assigned To:
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Oct 01 01:01:24 2020 UTC