PHP :: Bug #60885 :: Radius module causing Apache segmentation fault

Bug #60885

Radius module causing Apache segmentation fault

Submitted:

2012-01-25 15:41 UTC

Modified:

2013-06-20 17:40 UTC

Votes:	11
Avg. Score:	4.8 ± 0.6
Reproduced:	9 of 10 (90.0%)
Same Version:	1 (11.1%)
Same OS:	2 (22.2%)

From:

mark dot guetter at fh-kempten dot de

Assigned:

aharvey (profile)

Status:

Closed

Package:

radius (PECL)

PHP Version:

5.3.9

OS:

Mac OS X Lion Server 10.7.3

Private report:

CVE-ID:

None

View Developer Edit

[2012-01-25 15:41 UTC] mark dot guetter at fh-kempten dot de

Description:
------------
Radius module works fine until php 5.3.2
Since upgrading to Mac OS X Lion Server with php 5.3.8 i get segmentation faults 
from apache when "radius_create_request($res, RADIUS_ACCESS_REQUEST)" gets called.

Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r DAV/2 PHP/5.3.8 with Suhosin-
Patch 0.9.10


Actual result:
--------------
Process:         httpd [4348]
Path:            /usr/sbin/httpd
Identifier:      httpd
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  httpd [4336]

Date/Time:       2012-01-19 13:36:25.426 +0100
OS Version:      Mac OS X Server 10.7.3 (11D46)
Report Version:  9

Crashed Thread:  1  Dispatch queue: com.apple.libdispatch-manager

Exception Type:  EXC_CRASH (SIGSEGV)
Exception Codes: 0x0000000000000000, 0x0000000000000000

Application Specific Information:
objc[4336]: garbage collection is OFF

Thread 0:: Dispatch queue: com.apple.main-thread
0   libphp5.so                    	0x000000010a877e11 
zend_do_fcall_common_helper_SPEC + 1091
1   libphp5.so                    	0x000000010a8784d9 execute + 594
2   libphp5.so                    	0x000000010a8138a5 zend_execute_scripts 
+ 433
3   libphp5.so                    	0x000000010a7c432e php_execute_script + 
722
4   libphp5.so                    	0x000000010a88cfd0 php_handler + 1062
5   httpd                         	0x000000010a0bb451 ap_run_handler + 97
6   httpd                         	0x000000010a0bbff6 ap_invoke_handler + 
422
7   httpd                         	0x000000010a0f6b7d ap_process_request + 
125
8   httpd                         	0x000000010a0f2773 
ap_process_http_connection + 131
9   httpd                         	0x000000010a0d29a1 
ap_run_process_connection + 97
10  httpd                         	0x000000010a0d2f81 ap_process_connection 
+ 113
11  httpd                         	0x000000010a0ffdc3 child_main + 1699
12  httpd                         	0x000000010a100003 make_child + 435
13  httpd                         	0x000000010a10038f 
perform_idle_server_maintenance + 703
14  httpd                         	0x000000010a100abc ap_mpm_run + 1740
15  httpd                         	0x000000010a0c648d main + 4045
16  httpd                         	0x000000010a0ba794 start + 52

Patches

radius_long.patch (last revision 2013-03-12 14:52 UTC by thijs at debian dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-04-04 18:55 UTC] ptaskinen at gmail dot com

Got the the same problem on a 64bit linux-platform with php 5.3.10
After some testing , i found that this change stopped the segfaults for me
in radius.c
PHP_FUNCTION(radius_create_request)
{
        int code;
// --> change to :
        long code;

My C is quite rusty, so not sure if this is proper fix, but i posted this here in case this helps someone (to make the proper fix :)
(It's still typed as int in rad_create_request.)

[2012-04-10 19:15 UTC] annac at 6connect dot com

Just upgraded to PHP 5.3.10 on Max OS Lion 10.7.3 and encountered the same seg fault from apache when radius_create_request is called.

Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/1.0.0d DAV/2 PHP/5.3.10.

Results same as below.  Will be trying the proposed work around.

[2012-05-17 13:19 UTC] xaionaro at gmail dot com

same thing.. :(

d[17:18:29] [root@zeus:leviathan /var/www/auth.wifi.mephi.ru/root]# php -v
PHP 5.4.0-3 (cli) (built: Mar 21 2012 20:33:26) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
d[17:17:18] [root@zeus:leviathan /var/www/auth.wifi.mephi.ru/root]# gdb php
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
"/var/www/auth.wifi.mephi.ru/root/./index.php" is not a core dump: File format 
not recognized
(gdb) r ./index.php
Starting program: /usr/bin/php ./index.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000746f3e in ?? ()
(gdb) bt
#0  0x0000000000746f3e in ?? ()
#1  0x00000000007014cf in execute ()
#2  0x00000000006a1760 in zend_execute_scripts ()
#3  0x0000000000640fd3 in php_execute_script ()
#4  0x0000000000749b01 in ?? ()
#5  0x000000000043113e in ?? ()
#6  0x00007ffff4e1eead in __libc_start_main () from /lib/x86_64-linux-
gnu/libc.so.6
#7  0x00000000004311d5 in _start ()

[2013-03-12 14:51 UTC] thijs at debian dot org

I've investigated and the solution proposed on [2012-04-04 18:55 UTC] by ptaskinen at gmail dot com seems actually the correct one. This is detailed in http://svn.php.net/viewvc/php/php-src/trunk/README.PARAMETER_PARSING_API?view=markup where it actually explicitly mentions that feeding ints into the zend parser function while asking for a long will lead to segfaults on 64 bit.

Changing it will make the module work again and matches with PHP's api documentation. I'm attaching it as a proper patch.

[2013-06-20 17:40 UTC] aharvey@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: aharvey

[2013-06-20 17:40 UTC] aharvey@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 10:01:29 2024 UTC