PHP :: Bug #60512 :: pdo_dblib - Seg Fault error on user/pass exceeds 30 chars

Bug #60512

pdo_dblib - Seg Fault error on user/pass exceeds 30 chars

Submitted:

2011-12-13 16:21 UTC

Modified:

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

paul dot visco at roswellpark dot org

Assigned:

Status:

Closed

Package:

PDO related

PHP Version:

5.3.8

OS:

Centos 5.5/Fedora 16

Private report:

CVE-ID:

None

View Developer Edit

[2011-12-13 16:21 UTC] paul dot visco at roswellpark dot org

Description:
------------
LIB: freetds-0.91-1
PHP: php 5.3.8
EXT: pdo_dblib from /ext folder of php 5.3.8 source
OS: Fedora 16/Centos 5

I was using pdo_dblib to connect to a MSSQL server db.  When the password or username is longer than 30 chars, a segmentation fault occurrs, crashing PHP.

It would be ideal to instead throw the catchable error from freetds which is "20042 Name too long for LOGINREC field (severity 2)"

The problem is that the code is not checking to make sure dbproc is not NULL before processing the error info further.  In the case of the password being longer than 30 chars it is NULL, which then causes the seg fault.

Test script:
---------------
$db = new PDO("dblib:host=someserver;", "uname", '31charpasswordpasswordpasswordp');

Expected result:
----------------
20042 Name too long for LOGINREC field (severity 2)

Actual result:
--------------
segmentation fault

OUTPUT FROM gdb:
Program received signal SIGSEGV, Segmentation fault.
0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
(gdb) bt
#0  0x000000390502b0ff in __dcigettext () from /lib64/libc.so.6
#1  0x0000003905079b3c in strerror_r () from /lib64/libc.so.6
#2  0x000000390507997e in strerror () from /lib64/libc.so.6
#3  0x00002aaab26a6815 in ?? () from /usr/lib64/libsybdb.so.5
#4  0x00002aaab26a7aa9 in dbgetuserdata () from /usr/lib64/libsybdb.so.5
#5  0x00002aaab3bc2c59 in error_handler (dbproc=0x39051200a9, severity=85066262, dberr=0, oserr=0, dberrstr=0x0, oserrstr=0x5 <Address 0x5 out of bounds>)
    at /home/ROSWELL/visco/php-5.3.8/ext/pdo_dblib/pdo_dblib.c:98

Patches

prevent-segfault-with-user-or-pass-over-30chars (last revision 2011-12-13 16:22 UTC by paul dot visco at roswellpark dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-06-15 22:06 UTC] bmherold at gmail dot com

Has there been any movement on this bug? I'm using freetds 0.91 on OS X 10.7.4 and 
php 5.3.13. HTTPD crashes when using a password of over 30 characters as seen in 
the console logs. I can also tail freetds.log and it doesnt even make it in here - 
but only when the password is over 30 chars.

[2012-06-15 22:22 UTC] bmherold at gmail dot com

Created a gist of my crash log at: https://gist.github.com/2938986

[2013-06-01 06:59 UTC] ssufficool@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b54de3db008490eeae8fba2e471a41906d1eae5
Log: FIX BUG #60512

[2013-06-01 06:59 UTC] ssufficool@php.net

-Status: Open +Status: Closed

[2013-06-01 07:05 UTC] ssufficool@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9be9e0231277b7baf457f9a59dc7616624f8e2e
Log: FIX BUG #60512 (the correct way this time)

[2013-06-04 03:40 UTC] ssufficool@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638

[2013-06-04 05:03 UTC] stas@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638

[2013-11-17 09:30 UTC] laruence@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d8f938c78478c211dc3b5609e9f37d2e2c47896f
Log: FIX BUG #55647, #60512, #60512, #61900, #64338, #64808, #63638

[2013-11-17 09:31 UTC] laruence@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d9be9e0231277b7baf457f9a59dc7616624f8e2e
Log: FIX BUG #60512 (the correct way this time)

[2013-11-17 09:31 UTC] laruence@php.net

Automatic comment on behalf of ssufficool
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3b54de3db008490eeae8fba2e471a41906d1eae5
Log: FIX BUG #60512

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 02:01:29 2024 UTC