php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58384 Race condition in http_request_dtor
Submitted: 2008-10-18 17:01 UTC Modified: 2009-02-12 12:11 UTC
From: james82 at gmail dot com Assigned: mike (profile)
Status: Closed Package: pecl_http (PECL)
PHP Version: 5.1.6 OS: CentOS 5
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: james82 at gmail dot com
New email:
PHP Version: OS:

 

 [2008-10-18 17:01 UTC] james82 at gmail dot com
Description:
------------
In http_request_api.c, _http_request_dtor inserts our HTTP request handle back into the persistent handle pool (via http_persistent_handle_release in http_curl_free) before we are finished working with the request. This can lead to multiple threads working with the same request at the same time, and can eventually cause corruption of curl data structures.

The fix for this issue is simple: We should wait until we are finished with the request before we re-insert it into the persistent handle pool. A patch which implements this against current CVS is included below.

Patch:

--- http_request_api.c  2008-08-15 04:41:38.000000000 -0700
+++ http_request_api.c.fixed    2008-10-18 13:35:35.000000000 -0700
@@ -316,8 +316,8 @@ PHP_HTTP_API void _http_request_dtor(htt
 {
        TSRMLS_FETCH_FROM_CTX(request->tsrm_ls);

-       http_curl_free(&request->ch);
        http_request_reset(request);
+       http_curl_free(&request->ch);

        phpstr_dtor(&request->_cache.cookies);
        zend_hash_destroy(&request->_cache.options);


Reproduce code:
---------------
Here is an example case where memory is corrupted:

Thread #1 releases request into persistent handle pool (via http_persistent_handle_release in _http_curl_free).
Thread #2 grabs the request from the persistent handle pool, and sets up a new cookie store and url inside the request's request storage field.
Thread #1 frees the memory allocated by Thread #2 (via http_request_reset)
Thread #2 attempts to store cookies inside the previously allocated storage. Because this memory has been freed by Thread #1, this change may corrupt memory used by other threads.
 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-21 02:58 UTC] mike@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 20 21:03:37 2021 UTC