php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #57797 ssh2 seg fault
Submitted: 2007-08-25 12:12 UTC Modified: 2011-09-21 14:50 UTC
From: wilmar dot campos at gmail dot com Assigned: bjori (profile)
Status: Closed Package: ssh2 (PECL)
PHP Version: 5.2.1 OS: Slackware 10
Private report: No CVE-ID: None
 [2007-08-25 12:12 UTC] wilmar dot campos at gmail dot com
Description:
------------
Hello, i am running hp 5.2.1, libssh2-0.15 and ssh2-0.10
when I run the folowing code, i got a seg fault from apache.

Code:
<?php
echo "load....";
$connection = ssh2_connect("host", 22);
  // use any of the ssh2_auth_* methods
ssh2_auth_password($connection,"root", "pass");
$sftp = ssh2_sftp($connection);
$dir = "ssh2.sftp://$sftp/path/to/dir/";
$dh = opendir($dir);
while (($file = readdir($dh)) !== false) {
  echo "$file is in hostname:/path/to/dir\ n";
}
closedir($dh);
?> 



Reproduce code:
---------------
root@lapps:/etc/rc.d# httpd -X
Segmentation fault


Expected result:
----------------
Backtrace:
#0  0xb79f5721 in TaoCrypt::Integer::operator= () from /usr/lib/apache2/libphp5.so
No symbol table info available.
#1  0xb7a04a72 in yaSSL::Integer::assign () from /usr/lib/apache2/libphp5.so
No symbol table info available.
#2  0xb79d56e7 in BN_bin2bn () from /usr/lib/apache2/libphp5.so
No symbol table info available.
#3  0xb76409cd in libssh2_kex_method_diffie_hellman_group14_sha1_key_exchange (session=0x8265f2c) at kex.c:527
        p_value = "?????????\017ڢ!h?4??b\213\200?\034?)\002N\b\212g?t\002\v??;\023\233\"QJ\by\2164\004??\225\031??:C\0330+\nm?_\0247O?5mmQ?E?\205?vb^~??LB??7?k\v?\\??\006???8k?Z\211\237??\237$\021|K\037?I(fQ??[=?\000|??c?\005\230?H6\034U?\232i\026???$?_\203e]#ܣ?\226\034b?V \205R?\236?)\ap\226\226mg\f5NJ?\230\004?tl\b?\030!|2\220^F.6?;?\236w,\030\016\206\003"...
        p = (BIGNUM *) 0x8266070
        g = (BIGNUM *) 0x8266088
        ret = 136733268
#4  0xb7641fb4 in libssh2_kex_exchange (session=0x8265f2c, reexchange=0) at kex.c:1179
        data = (unsigned char *) 0x825ecfc "\024(q4\217\\\214h n\006?8\215_\031X"
        data_len = 624
#5  0xb7645d52 in libssh2_session_startup (session=0x8265f2c, socket=64) at session.c:269
        data = (unsigned char *) 0xbfa92928 "x)???\222??,_&\bTb&\bx)?? ?\206?,_&\b\f"
        data_len = 3076807720
        service = "\027\000\000\000,_&\b8)??4[d??"
        service_length = 64
#6  0xb786f520 in php_ssh2_session_connect (host=0x8266254 "", port=136732460, methods=0x0, callbacks=0x0)
    at /usr/src/php-5.1.2/ext/ssh2/ssh2.c:424
        container = (zval **) 0xbfa929b8
        session = (LIBSSH2_SESSION *) 0x8265f2c
        socket = 12
        data = (php_ssh2_session_data *) 0x8266254
#7  0xb786fb0b in zif_ssh2_connect (ht=2, return_value=0x825ebac, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /usr/src/php-5.1.2/ext/ssh2/ssh2.c:455
        session = (LIBSSH2_SESSION *) 0x40
        methods = (zval *) 0x0
        callbacks = (zval *) 0x0
        host = 0x825eb6c "hostname"
        port = 22
        host_len = 14
#8  0xb7951fd3 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfa92b90) at zend_vm_execute.h:192
        return_reference = 0 '\0'
        opline = (zend_op *) 0x8262ebc
        original_return_value = (zval **) 0x8262ed8
        current_scope = (zend_class_entry *) 0x0
        current_this = (zval *) 0x0
        should_change_scope = 0 '\0'


Actual result:
--------------
root@lapps:/etc/rc.d# gdb httpd
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run -X
Starting program: /usr/sbin/httpd -X
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 28231)]


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28231)]
0xb79e6481 in TaoCrypt::Integer::operator= () from /usr/lib/apache2/libphp5.so
(gdb) 
#0  0xb79e6481 in TaoCrypt::Integer::operator= () from /usr/lib/apache2/libphp5.so
#1  0xb79f57d2 in yaSSL::Integer::assign () from /usr/lib/apache2/libphp5.so
#2  0xb79c6447 in BN_bin2bn () from /usr/lib/apache2/libphp5.so
#3  0xb76318dd in libssh2_kex_method_diffie_hellman_group14_sha1_key_exchange (session=0x8265f2c) at kex.c:527
#4  0xb7632eca in libssh2_kex_exchange (session=0x8265f2c, reexchange=0) at kex.c:1179
#5  0xb7636bc2 in libssh2_session_startup (session=0x8265f2c, socket=64) at session.c:269
#6  0xb7860520 in php_ssh2_session_connect (host=0x8266254 "", port=136732460, methods=0x0, callbacks=0x0)
    at /usr/src/php-5.1.2/ext/ssh2/ssh2.c:424
#7  0xb7860b0b in zif_ssh2_connect (ht=2, return_value=0x825ebac, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /usr/src/php-5.1.2/ext/ssh2/ssh2.c:455
#8  0xb7942d33 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfc3bd40) at zend_vm_execute.h:192
#9  0xb7942579 in execute (op_array=0x825e96c) at zend_vm_execute.h:92
#10 0xb792909c in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/php-5.1.2/Zend/zend.c:1101
#11 0xb78ee17f in php_execute_script (primary_file=0xbfc3e0c0) at /usr/src/php-5.1.2/main/main.c:1720
#12 0xb79a0dab in php_handler (r=0x824ff38) at /usr/src/php-5.1.2/sapi/apache2handler/sapi_apache2.c:584
#13 0x080733c6 in ap_run_handler (r=0x824ff38) at config.c:157
#14 0x08073968 in ap_invoke_handler (r=0x824ff38) at config.c:371
#15 0x08088ecf in ap_process_request (r=0x824ff38) at http_request.c:258
#16 0x08086cb9 in ap_process_http_connection (c=0x824be78) at http_core.c:184
#17 0x080792b6 in ap_run_process_connection (c=0x824be78) at connection.c:43
#18 0x0809acf6 in child_main (child_num_arg=64) at prefork.c:640
#19 0x0809adf0 in make_child (s=0x80c8cc8, slot=0) at prefork.c:680
#20 0x0809b8ba in ap_mpm_run (_pconf=0x80c8cc8, plog=0x81021e8, s=0x1) at prefork.c:956
#21 0x080622ac in main (argc=2, argv=0xbfc3e454) at main.c:717

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-22 20:00 UTC] jeff dot wolkove at shps dot com
Is there a fix or workaround for this yet? 
I have the same problem on php 5.2.2 with Redhat.
 [2011-06-15 03:22 UTC] kamil at klecza dot pl
Almost 4 years later and I've faced this bug too:/
 [2011-09-21 14:50 UTC] bjori@php.net
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 03 21:01:23 2020 UTC