php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56303 ssh2_scp_recv from ssh2-0.7 (CVS) causes segfault on a ~60KB file
Submitted: 2005-02-15 07:30 UTC Modified: 2005-10-23 09:21 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: markus dot lervik at necora dot fi Assigned:
Status: No Feedback Package: ssh2 (PECL)
PHP Version: 5.0.3 OS: Linux (SuSE 9.1)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-02-15 07:30 UTC] markus dot lervik at necora dot fi
Description:
------------
Trying to copy an about 60KB file from a remote system repeatedly causes a segfault. I haven't been able to pinpoint the exact size of the file, because it behaves a bit randomly, but a 64253 byte file gets copied, while a 65514 byte file causes the segfault. A 65515 byte file causes ssh2_scp_recv to  hang. A 65491 byte file gets copied normally, while a 65490 byte file causes a segfault.

OpenSSH is version 3.8p1-100.SuSE.ulb.1

php -m
[PHP Modules]
bz2
ctype
curl
dom
exif
gd
iconv
libxml
openssl
pcre
pgsql
posix
session
SimpleXML
soap
SPL
ssh2
standard
tokenizer
wddx
xml
xmlrpc
xsl
zlib

[Zend Modules]





Reproduce code:
---------------
<?php

$c = ssh2_connect('server', 22);

ssh2_auth_pubkey_file($c, 'user', '/home/user/.ssh/id_dsa.pub', '/home/user/.ssh/id_dsa');

ssh2_scp_recv($c, 'test', './test');

?>

Actual result:
--------------
65514 byte file

---------------------------------------
/home/mle/x/pecl/ssh2/ssh2.c(68) : Block 0x08414E8C status:
Beginning:      Overrun (magic=0x00000000, expected=0x7312F8DC)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15854)]
0x404ddb2c in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x404ddb2c in memcpy () from /lib/libc.so.6
#1  0x082246cf in _mem_block_check (ptr=0x8414eb0, silent=0,
    __zend_filename=0x405c0246 "/home/mle/x/pecl/ssh2/ssh2.c", __zend_lineno=68,
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/mle/soares/php-5.0.3/Zend/zend_alloc.c:722
#2  0x08224696 in _mem_block_check (ptr=0x8414eb0, silent=1,
    __zend_filename=0x405c0246 "/home/mle/x/pecl/ssh2/ssh2.c", __zend_lineno=68,
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/mle/soares/php-5.0.3/Zend/zend_alloc.c:714
#3  0x08223932 in _efree (ptr=0x8414eb0,
    __zend_filename=0x405c0246 "/home/mle/x/pecl/ssh2/ssh2.c", __zend_lineno=68,
    __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /home/mle/soares/php-5.0.3/Zend/zend_alloc.c:265
#4  0x405ba689 in php_ssh2_free_cb (ptr=0x8414eb0, abstract=0x83b6fc4)
    at /home/mle/x/pecl/ssh2/ssh2.c:68
#5  0x405c7639 in libssh2_comp_method_zlib_comp (session=0x83b6fc4, compress=0, dest=0xbfffc9c0,
    dest_len=0xbfffc9c0, payload_limit=40000, free_dest=0xbfffc9c0, src=0xbfffc9c0 "",
    src_len=48, abstract=0xbfffc9c0) at comp.c:223
#6  0x405cd582 in libssh2_packet_read (session=0x83b6fc4, should_block=0) at packet.c:695
#7  0x405c5653 in libssh2_channel_read_ex (channel=0x83fc4ec, stream_id=0, buf=0xbfffcc70 "",
    buflen=8192) at channel.c:819
#8  0x405bd542 in zif_ssh2_scp_recv (ht=3, return_value=0x83b5d84, this_ptr=0x0,
    return_value_used=0) at /home/mle/x/pecl/ssh2/ssh2_fopen_wrappers.c:900
#9  0x082691d8 in zend_do_fcall_common_helper (execute_data=0xbfffee20, opline=0x83b63a8,
    op_array=0x83b5c94) at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:2711
#10 0x08269951 in zend_do_fcall_handler (execute_data=0xbfffee20, opline=0x83b63a8,
    op_array=0x83b5c94) at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:2843
#11 0x082657ce in execute (op_array=0x83b5c94)
    at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:1400
#12 0x08232b71 in zend_eval_string (
    str=0xbffff2e1 "$c = ssh2_connect(\"dev.necora.fi\", 22); ssh2_auth_pubkey_file($c, \"mle\", \"/home/mle/.ssh/id_dsa.pub\", \"/home/mle/.ssh/id_dsa\"); ssh2_scp_recv($c, \"test\", \"./test\");", retval_ptr=0x0, string_name=0x82b8a9c "Command line code")
    at /home/mle/soares/php-5.0.3/Zend/zend_execute_API.c:990
#13 0x08232d03 in zend_eval_string_ex (
    str=0xbffff2e1 "$c = ssh2_connect(\"dev.necora.fi\", 22); ssh2_auth_pubkey_file($c, \"mle\", \"/home/mle/.ssh/id_dsa.pub\", \"/home/mle/.ssh/id_dsa\"); ssh2_scp_recv($c, \"test\", \"./test\");", retval_ptr=0x0, string_name=0x82b8a9c "Command line code", handle_exceptions=1)
    at /home/mle/soares/php-5.0.3/Zend/zend_execute_API.c:1024
#14 0x08272e84 in main (argc=3, argv=0xbffff0e4)
    at /home/mle/soares/php-5.0.3/sapi/cli/php_cli.c:982



65515 byte file

Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15857)]

<...time passes...>
(CTRL-C)

Program received signal SIGINT, Interrupt.
[Switching to Thread 16384 (LWP 15857)]
0x404fd475 in nanosleep () from /lib/libc.so.6
(gdb) bt
#0  0x404fd475 in nanosleep () from /lib/libc.so.6
#1  0x40528c0a in usleep () from /lib/libc.so.6
#2  0x405cbdeb in libssh2_blocking_read (session=0x83b6fc4, buf=0xbfffcb90 "\034??\bZ", count=16)
    at packet.c:552
#3  0x405cd1ce in libssh2_packet_read (session=0x83b6fc4, should_block=1) at packet.c:612
#4  0x405c5653 in libssh2_channel_read_ex (channel=0x83fc5cc, stream_id=0, buf=0xbfffcc70 "",
    buflen=23) at channel.c:819
#5  0x405bd542 in zif_ssh2_scp_recv (ht=3, return_value=0x83b5d84, this_ptr=0x0,
    return_value_used=0) at /home/mle/x/pecl/ssh2/ssh2_fopen_wrappers.c:900
#6  0x082691d8 in zend_do_fcall_common_helper (execute_data=0xbfffee20, opline=0x83b63a8,
    op_array=0x83b5c94) at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:2711
#7  0x08269951 in zend_do_fcall_handler (execute_data=0xbfffee20, opline=0x83b63a8,
    op_array=0x83b5c94) at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:2843
#8  0x082657ce in execute (op_array=0x83b5c94)
    at /home/mle/soares/php-5.0.3/Zend/zend_execute.c:1400
#9  0x08232b71 in zend_eval_string (
    str=0xbffff2e1 "$c = ssh2_connect(\"dev.necora.fi\", 22); ssh2_auth_pubkey_file($c, \"mle\", \"/home/mle/.ssh/id_dsa.pub\", \"/home/mle/.ssh/id_dsa\"); ssh2_scp_recv($c, \"test\", \"./test\");", retval_ptr=0x0, string_name=0x82b8a9c "Command line code")
    at /home/mle/soares/php-5.0.3/Zend/zend_execute_API.c:990
#10 0x08232d03 in zend_eval_string_ex (
    str=0xbffff2e1 "$c = ssh2_connect(\"dev.necora.fi\", 22); ssh2_auth_pubkey_file($c, \"mle\", \"/home/mle/.ssh/id_dsa.pub\", \"/home/mle/.ssh/id_dsa\"); ssh2_scp_recv($c, \"test\", \"./test\");", retval_ptr=0x0, string_name=0x82b8a9c "Command line code", handle_exceptions=1)
    at /home/mle/soares/php-5.0.3/Zend/zend_execute_API.c:1024
#11 0x08272e84 in main (argc=3, argv=0xbffff0e4)
    at /home/mle/soares/php-5.0.3/sapi/cli/php_cli.c:982


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-15 17:55 UTC] markus dot lervik at necora dot fi
Sorry, forgot to mention.

Problem is present in version 0.6 too.

Smaller files seem to come through, but for larger files (tested with one about 160KB) only part gets copied (got consistently about 130KB of above file).
 [2005-03-16 13:46 UTC] ep at numlog dot fr
I have the same troubles on Mandrake 9.1 with PHP 4.3.1.
 No problem for scp_recv but segfault for almost all file,
 even small, even binaries like .gz, with ssh2-0.7 .

php -m
[PHP Modules]
ctype
ftp
gettext
ionCube Loader
ldap
ncurses
openssl
pcre
pgsql
posix
session
snmp
sockets
ssh2
standard
sysvsem
sysvshm
xml
xmlrpc
yp
zlib

[Zend Modules]
the ionCube PHP Loader

Gonna try with more recent version of PHP, 4.3.7 for example.
 [2005-03-16 14:02 UTC] ep at numlog dot fr
The problem occurs while using the same connection
for more than one ssh2_scp_recv (a 'for' loop).
No problem when creating a new connection for each ssh2_scp_recv.

FAILS :
if($connection = my_ssh2_connect()){
  $arrayloc[0] = 'toto1' ;
  $arrayloc[1] = 'toto2' ;
 if (my_ssh2_auth_password($connection)){
   for($i=0; $i < count() ; $i++){
     ssh2_scp_send($connection,$arrayloc[$i] , $arrayloc[$i]."snd",0644) ;
   }
  }
}

WORKS:

  $arrayloc[0] = 'toto1' ;
  $arrayloc[1] = 'toto2' ;
 
   for($i=0; $i < count() ; $i++){
if($connection = my_ssh2_connect()){
  if (my_ssh2_auth_password($connection)){
     ssh2_scp_send($connection,$arrayloc[$i] , $arrayloc[$i]."snd",0644) ;
   }
  }
}


Hope it can help !!!
 [2005-03-16 14:37 UTC] ep at numlog dot fr
Well, in fact, it is not so simple...

The segfault occurs when using the connection with
a ssh2_exec() function before the ssh2_scp_send function.

FAILS : 
$connection = my_ssh2_connect();
$stream = ssh2_exec($connection, "ls -ls");
ssh2_scp_send($connection,"toto1" , "toto1.snd",0644) ;

I didn't notice a segfault when using a ssh2_exec after to use a ssh2_scp_[send/recv] function.

to be continued ?
 [2005-05-18 00:53 UTC] pollita@php.net
Please try libssh2 0.10 and pecl/ssh 0.8
 [2005-10-23 09:21 UTC] mike@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 21:01:27 2024 UTC