|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64535 php_ssh2_sftp_dirstream_read(): Segfault on error from libssh2
Submitted: 2013-03-27 21:25 UTC Modified: -
From: mjpelmear at gmail dot com Assigned:
Status: Closed Package: ssh2 (PECL)
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
 [2013-03-27 21:25 UTC] mjpelmear at gmail dot com
Calls to php_ssh2_sftp_dirstream_read() result in a segfault (in php_basename()) when libssh2_sftp_readdir() returns an error state.

The problem seems to be that libssh2_sftp_readdir() returns a signed integer, but php_ssh2_sftp_dirstream_read() assigns the result to a size_t (unsigned), which is then treated as a signed integer.

The attached patch simply changes bytesread to be an int instead of size_t (making it match the libssh2 prototype). The remainder of the function plays nicely with this change.

I would argue that some type of feedback should also be provided when this occurs.

I ran across this issue with an older version of libssh2 and a specific sftp server (globalscape), when the remote directory has more than a small number of files in it, so I have not attached a test script since it would be difficult to recreate. However, the bug would affect any case where libssh2_sftp_readdir() returned an error condition.

Actual result:


ssh2-0.12_php_ssh2_sftp_dirstream_read-fix_segfault.patch (last revision 2013-03-27 21:26 UTC by mjpelmear at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-27 21:41 UTC] mjpelmear at gmail dot com
I should note that libssh2 returns int from libssh2_sftp_readdir() in the earliest version I can find of the library, so this should not be a problem for backward compatibility.
 [2013-05-06 22:31 UTC] mjpelmear at gmail dot com
I recreated this issue with libssh2-1.2.9 and a GlobalSCAPE Secure FTP Server (v3.3.1 Build 04.28.2008.1).

To recreate, you must have a large number of files in the remote directory (We ran into it with 160 files in the directory, or with even less in older versions of libssh2. FileZilla 3.3.1 is not able to list the contents of the directory either, but at least does not segfault.):

        // change these as needed
        $host = '';
        $port = '22';
        $username = 'username';
        $password = 'password';
        $dir = '/';

        $res = ssh2_connect( $host, $port );
        if( !$res )
                throw new Exception( 'Could not connect to server.' );
        ssh2_auth_password( $res, $username, $password );

        echo ssh2_fingerprint($res).PHP_EOL;

        $sftp = ssh2_sftp($res);
        if( !$sftp )
                throw new Exception( 'Could not open sftp stream in ssh session' );

        $dir = ssh2_sftp_realpath( $sftp, $path );
        if( !$dir )
                throw new Exception( 'bad path (1)' );

        $resource_path = 'ssh2.sftp://' . $sftp . $dir;
        $dp = opendir( $resource_path );
        if( !$dp )
                throw new Exception( 'bad path (2)' );

        $retval = array();
        while( FALSE !== ($file = readdir($dp)) )
                if( $file{0} == '.' || $file == '..' )
                $fp = $dir . (substr($dir,strlen($dir)-1,1) == '/' ? '' : '/') . $file;
                $file_path = ssh2_sftp_realpath( $sftp, $fp ); // SEGFAULT HERE WHEN TESTING WITH THE SPECIFIED CONDITIONS
 [2013-05-07 06:51 UTC]
-Status: Open +Status: Closed
 [2013-05-07 06:51 UTC]
Automatic comment on behalf of
Log: Fix #64535,  php_ssh2_sftp_dirstream_read segfault on error
 [2013-05-07 06:51 UTC]
Automatic comment on behalf of
Log: Fix #64535,  php_ssh2_sftp_dirstream_read segfault on error
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Sep 29 01:01:24 2023 UTC