PHP :: Bug #56294 :: Segfault in libssh2_channel

Bug #56294	Segfault in libssh2_channel_free
Submitted:	2005-02-11 17:31 UTC	Modified:	2005-10-23 09:20 UTC
From:	jplock at yahoo dot com	Assigned:
Status:	No Feedback	Package:	ssh2 (PECL)
PHP Version:	5.0.3	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-02-11 17:31 UTC] jplock at yahoo dot com

Description:
------------
My script works fine (it is segfaulting from my mail handler), but the SSH file transfer is taking place as it should. My script and backtrace are below. Thanks.

#0  libssh2_channel_free (channel=0x4882250) at channel.c:1032
#1  0x408599f9 in libssh2_sftp_shutdown (sftp=0x4882250) at sftp.c:493
#2  0x40846fe5 in php_ssh2_sftp_dtor (rsrc=0x4882250)
at /tmp/tmpWsAobb/ssh2-0.6/ssh2_sftp.c:41
#3  0x081ce7d5 in list_entry_destructor (ptr=0x8474c44)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_list.c:178
#4  0x081cd788 in zend_hash_apply_deleter (ht=0x83dc0d4, p=0x84bb71c)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_hash.c:574
#5  0x081cd906 in zend_hash_apply_with_argument (ht=0x83dc0d4, 
    apply_func=0x81ce8d4 <clean_module_resource>, argument=0x84741d8)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_hash.c:684
#6  0x081ce91c in zend_clean_module_rsrc_dtors_cb (ld=0x84741c0,
module_number=0x4882250)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_list.c:250
#7  0x081cd8da in zend_hash_apply_with_argument (ht=0x83d7260, 
    apply_func=0x81ce8ec <zend_clean_module_rsrc_dtors_cb>,
argument=0xbffff250)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_hash.c:683
#8  0x081ce951 in zend_clean_module_rsrc_dtors (module_number=23)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_list.c:261
#9  0x081cb28f in module_destructor (module=0x8472e98)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_API.c:1483
#10 0x081cd788 in zend_hash_apply_deleter (ht=0x83dc220, p=0x8472e68)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_hash.c:574
#11 0x081cd886 in zend_hash_apply (ht=0x83dc220, apply_func=0x81cb300
<module_registry_cleanup>)
    at /home/jplock/files/www/php-5.0.3/Zend/zend_hash.c:665
#12 0x081c808a in zend_deactivate_modules ()
at /home/jplock/files/www/php-5.0.3/Zend/zend.c:803
#13 0x0819acc2 in php_request_shutdown (dummy=0x0)
at /home/jplock/files/www/php-5.0.3/main/main.c:1198
#14 0x081eb270 in main (argc=3, argv=0xbffffb04)
    at /home/jplock/files/www/php-5.0.3/sapi/cli/php_cli.c:1046

(gdb) frame 0
#0  libssh2_channel_free (channel=0x4882250) at channel.c:1032
1032            if (!channel->local.close && (session->socket_state ==
LIBSSH2_SOCKET_CONNECTED) &&

Reproduce code:
---------------
#!/usr/local/bin/php -c /usr/local/lib/php.ini
<?php

if (!extension_loaded('ssh2')) {
        if (!dl('ssh2.so')) {
                die('Could not load ssh2.so');
        }
}

$aMethods = array(
        'client_to_server' => array('comp'=>'zlib'),
        'server_to_client' => array('comp'=>'zlib')
);

$rConn = ssh2_connect('xxxxxx', 22, $aMethods);
if ($rConn && ssh2_auth_password($rConn, 'jplock', 'xxxxx')) {
  $sftp = ssh2_sftp($rConn);
  if ($sftp) {
    $sUploadDir = '/home/sites/xxxxxx/tmp/mail';
                
    $sTmpFile = '_'.time();

    $sData = file_get_contents('php://stdin');

    ssh2_exec($rConn, "/usr/bin/touch
$sUploadDir/$sTmpFile.pending"                                                     
);

    $rFile = fopen("ssh2.sftp://$sftp/$sUploadDir/$sTmpFile.pending",
'wb');
    if ($rFile) {
      fwrite($rFile, $sData);
    }
    fclose($rFile);

    ssh2_sftp_rename($sftp, $sUploadDir.'/'.$sTmpFile.'.pending',
$sUploadDir.'/'.$sTmpFile.'.done');

  }
}
?>

Expected result:
----------------
The file will be SSH'ed properly with no segfault.

Actual result:
--------------
The file is being SSH'ed properly, but the script still segfaults.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-02-13 19:08 UTC] pollita@php.net

Try as I might, I just can't reproduce this and the pointer values in #0-#2 are just.... not possible.  If I had to take a guess at this point I'd blame it on a stack corruption.

The script looks like its being executed from the command line.  Presumably CLI (or are you using CGI?).  Do you have any zend_extensions installed? (i.e. An accelerator or profiler).

What other extensions do you have installed?  Does the problem persist if you recompile with --enable-maintainer-zts?  Does the problem persist if you patch ssh2_sftp.c to remove the need to touch before writing? http://cvs.php.net/diff.php/pecl/ssh2/ssh2_sftp.c?php=0aa68ded0a4fa09ca9d7a6272534d553&r1=1.1&r2=1.2&ty=u

What distribution of linux are you running?  On what processor type?  Can you try this on another box?

Does the problem persist if you recompile PHP with SSH2 compiled in staticly? (Extract the ssh2 package under ext/, run ./buildconf from the root of the source tree, then ./configure --with-ssh2 --and-other-options, and make)

What version of OpenSSL are you using?  Is it the same one that PHP was compiled with?

Is my assumption that you compiled this module on this box correct?  What showed for PHPAPINO and ZENDAPINO when you performed `pear install ssh2-beta`?

[2005-02-18 00:25 UTC] jplock at yahoo dot com

Let me see how many of these questions I can answer...

Yes it is being executed on the command line (CLI).
Yes I've got the Zend Optimizer also installed.

[PHP Modules]
bcmath
ctype
dom
exif
gd
gettext
iconv
libxml
mbstring
mysql
mysqli
pcre
session
SimpleXML
soap
SPL
ssh2
standard
tokenizer
xml
xmlrpc
xsl
Zend Optimizer
zlib

[Zend Modules]
Zend Extension Manager
Zend Optimizer

I haven't tried recompiling with --enable-maintainer-zts yet as this is a production machine. I have patched ssh2_sftp.c so I don't have to touch before writing and the problem still persists.

uname -a provides: Linux u15150138.onlinehome-server.com 2.4.25-040218 #1 SMP Wed Feb 18 17:59:29 CET 2004 i686 i686 i386 GNU/Linux

This is a remote machine which I have access to, I believe they are Celeron CPUs. I can't try this on another machine. I haven't ried recompiling PHP statically yet, because as I said its a production machine.

OpenSSL version 0.9.7e

PHP API 	20031224
PHP Extension 	20041030
Zend Extension 	220040412

[2005-05-18 00:52 UTC] pollita@php.net

Please give libssh2 0.10 and pecl/ssh2 0.8 a shot

[2005-10-23 09:20 UTC] mike@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 10:01:29 2025 UTC