php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60512 pdo_dblib - Seg Fault error on user/pass exceeds 30 chars
Submitted: 2011-12-13 16:21 UTC Modified: -
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: paul dot visco at roswellpark dot org Assigned:
Status: Closed Package: PDO related
PHP Version: 5.3.8 OS: Centos 5.5/Fedora 16
Private report: No CVE-ID: None
 [2011-12-13 16:21 UTC] paul dot visco at roswellpark dot org
Description:
------------
LIB: freetds-0.91-1
PHP: php 5.3.8
EXT: pdo_dblib from /ext folder of php 5.3.8 source
OS: Fedora 16/Centos 5

I was using pdo_dblib to connect to a MSSQL server db.  When the password or username is longer than 30 chars, a segmentation fault occurrs, crashing PHP.

It would be ideal to instead throw the catchable error from freetds which is "20042 Name too long for LOGINREC field (severity 2)"

The problem is that the code is not checking to make sure dbproc is not NULL before processing the error info further.  In the case of the password being longer than 30 chars it is NULL, which then causes the seg fault.

Test script:
---------------
$db = new PDO("dblib:host=someserver;", "uname", '31charpasswordpasswordpasswordp');

Expected result:
----------------
20042 Name too long for LOGINREC field (severity 2)

Actual result:
--------------
segmentation fault

OUTPUT FROM gdb:
Program received signal SIGSEGV, Segmentation fault.
0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
(gdb) bt
#0  0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
#1  0x0000003905079b3c in strerror_r () from /lib64/libc.so.6
#2  0x000000390507997e in strerror () from /lib64/libc.so.6
#3  0x00002aaab26a6815 in ?? () from /usr/lib64/libsybdb.so.5
#4  0x00002aaab26a7aa9 in dbgetuserdata () from /usr/lib64/libsybdb.so.5
#5  0x00002aaab3bc2c59 in error_handler (dbproc=0x39051200a9, severity=85066262, dberr=0, oserr=0, dberrstr=0x0, oserrstr=0x5 <Address 0x5 out of bounds>)
    at /home/ROSWELL/visco/php-5.3.8/ext/pdo_dblib/pdo_dblib.c:98



Patches

prevent-segfault-with-user-or-pass-over-30chars (last revision 2011-12-13 16:22 UTC by paul dot visco at roswellpark dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-15 22:06 UTC] bmherold at gmail dot com
Has there been any movement on this bug? I'm using freetds 0.91 on OS X 10.7.4 and 
php 5.3.13. HTTPD crashes when using a password of over 30 characters as seen in 
the console logs. I can also tail freetds.log and it doesnt even make it in here - 
but only when the password is over 30 chars.
 [2012-06-15 22:22 UTC] bmherold at gmail dot com
Created a gist of my crash log at: https://gist.github.com/2938986
 [2013-06-01 06:59 UTC] ssufficool@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b54de3db008490eeae8fba2e471a41906d1eae5
Log: FIX BUG #60512
 [2013-06-01 06:59 UTC] ssufficool@php.net
-Status: Open +Status: Closed
 [2013-06-01 07:05 UTC] ssufficool@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9be9e0231277b7baf457f9a59dc7616624f8e2e
Log: FIX BUG #60512 (the correct way this time)
 [2013-06-04 03:40 UTC] ssufficool@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638
 [2013-06-04 05:03 UTC] stas@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638
 [2013-11-17 09:30 UTC] laruence@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638
 [2013-11-17 09:31 UTC] laruence@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9be9e0231277b7baf457f9a59dc7616624f8e2e
Log: FIX BUG #60512 (the correct way this time)
 [2013-11-17 09:31 UTC] laruence@php.net
Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b54de3db008490eeae8fba2e471a41906d1eae5
Log: FIX BUG #60512
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Oct 19 16:03:35 2021 UTC