php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64355 Segfault when accepting ssl connection
Submitted: 2013-03-05 07:55 UTC Modified: 2013-06-26 13:59 UTC
Votes:15
Avg. Score:4.9 ± 0.5
Reproduced:7 of 11 (63.6%)
Same Version:5 (71.4%)
Same OS:7 (100.0%)
From: nicolyon at free dot fr Assigned:
Status: Not a bug Package: OpenSSL related
PHP Version: 5.4.12 OS: Linux
Private report: No CVE-ID: None
 [2013-03-05 07:55 UTC] nicolyon at free dot fr
Description:
------------
When accepting a connection from a SSL socket with openssl >= 1.0.1d PHP crash.
When using openssl 1.0.1c or lower there's no crash.

Here the stack :
#0  0x00007f2f58eafd1a in ssl_set_cert_masks () from /usr/lib/libssl.so.1.0.0
#1  0x00007f2f58eb0596 in ssl_get_server_send_pkey () from 
/usr/lib/libssl.so.1.0.0
#2  0x00007f2f58eb0689 in ssl_get_server_send_cert () from 
/usr/lib/libssl.so.1.0.0
#3  0x00007f2f4c84bf23 in php_SSL_new_from_context () from 
/usr/lib/php/extensions/openssl.so
#4  0x00007f2f4c84d5b9 in php_openssl_sockop_set_option () from 
/usr/lib/php/extensions/openssl.so
#5  0x00000000006247cc in _php_stream_set_option ()
#6  0x000000000062fe9e in php_stream_xport_crypto_setup ()
#7  0x00007f2f4c84d294 in php_openssl_sockop_set_option () from 
/usr/lib/php/extensions/openssl.so
#8  0x00000000006247cc in _php_stream_set_option ()
#9  0x000000000062fcb9 in php_stream_xport_accept ()
#10 0x00000000005c9e9c in zif_stream_socket_accept ()


Test script:
---------------
$context = stream_context_create();
$errno = 0;
$errstr = "";
$s = stream_socket_server( "ssl://127.0.0.1:800", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context );



do just telnet localhost 800 for crash 

Expected result:
----------------
no crash

Actual result:
--------------
segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-09 08:32 UTC] simone at edinet dot info
Same problem happens with 
PHP 5.4.14
OpenSSL 1.0.1e


GDB bt:
#0  0x00007f8493d2300a in ssl_set_cert_masks () from /usr/local/ssl/lib/libssl.so.1.0.0
#1  0x00007f8493d23886 in ssl_get_server_send_pkey () from /usr/local/ssl/lib/libssl.so.1.0.0
#2  0x00007f8493d23979 in ssl_get_server_send_cert () from /usr/local/ssl/lib/libssl.so.1.0.0
#3  0x000000000047880b in php_SSL_new_from_context (ctx=0x1504f80, stream=stream@entry=0x7f8495ef7c98) at /usr/local/sorgenti/src/php-5.4.14/ext/openssl/openssl.c:4574
#4  0x0000000000479e2c in php_openssl_setup_crypto (sslsock=0x7f8495ef7c20, stream=0x7f8495ef7c98, cparam=<optimized out>) at /usr/local/sorgenti/src/php-5.4.14/ext/openssl/xp_ssl.c:410
#5  php_openssl_sockop_set_option (stream=0x7f8495ef7c98, option=<optimized out>, value=<optimized out>, ptrparam=0x7fff88da47b0) at /usr/local/sorgenti/src/php-5.4.14/ext/openssl/xp_ssl.c:755
#6  0x000000000071fe4c in _php_stream_set_option (stream=stream@entry=0x7f8495ef7c98, option=option@entry=8, value=value@entry=0, ptrparam=ptrparam@entry=0x7fff88da47b0)
    at /usr/local/sorgenti/src/php-5.4.14/main/streams/streams.c:1358
#7  0x000000000072a487 in php_stream_xport_crypto_setup (stream=stream@entry=0x7f8495ef7c98, crypto_method=<optimized out>, session_stream=<optimized out>)
    at /usr/local/sorgenti/src/php-5.4.14/main/streams/transports.c:364
#8  0x00000000006cdea7 in zif_stream_socket_enable_crypto (ht=<optimized out>, return_value=0x7f8495ef9b00, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/local/sorgenti/src/php-5.4.14/ext/standard/streamsfuncs.c:1506
#9  0x0000000000808af0 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f8495ec4288) at /usr/local/sorgenti/src/php-5.4.14/Zend/zend_vm_execute.h:643
#10 0x00000000007c45ec in execute (op_array=0x1504e30) at /usr/local/sorgenti/src/php-5.4.14/Zend/zend_vm_execute.h:410
#11 0x0000000000767790 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/local/sorgenti/src/php-5.4.14/Zend/zend.c:1315
#12 0x0000000000709d99 in php_execute_script (primary_file=primary_file@entry=0x7fff88da6db0) at /usr/local/sorgenti/src/php-5.4.14/main/main.c:2492
#13 0x000000000080b111 in do_cli (argc=60, argv=0x7fff88da8218) at /usr/local/sorgenti/src/php-5.4.14/sapi/cli/php_cli.c:988
#14 0x00000000004382f5 in main (argc=60, argv=0x7fff88da8218) at /usr/local/sorgenti/src/php-5.4.14/sapi/cli/php_cli.c:1364

Test script:
---------------
FTP login (SSL) [ext/ftp/tests/002.phpt]

Expected result:
----------------
no crash

Actual result:
--------------
segfault
 [2013-06-26 13:55 UTC] ntdm at hotmail dot com
OpenSSL bug #703031? http://openssl.6102.n7.nabble.com/NULL-ptr-deref-when-
calling-SSL-get-certificate-with-1-0-0k-td43636.html
 [2013-06-26 13:59 UTC] felipe@php.net
-Status: Open +Status: Not a bug
 [2013-06-26 13:59 UTC] felipe@php.net
Thanks for the info. So not a bug on PHP, but on OpenSSL library.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 10:01:26 2024 UTC