php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65818 Segfault with built-in webserver and chunked transfer encoding
Submitted: 2013-10-02 18:54 UTC Modified: 2013-10-02 19:16 UTC
From: ysangkok at gmail dot com Assigned:
Status: Closed Package: Built-in web server
PHP Version: 5.5.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2013-10-02 18:54 UTC] ysangkok at gmail dot com 
Description:
------------
Chunked transfer encoding crashes the built-in webserver.

Test script:
---------------
#!/bin/bash
php -S 127.0.0.1:8801
sleep 2
echo -ne "POST /c.php HTTP/1.0\r
Transfer-Encoding: chunked\r
\r
3b\r
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r
49\r
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\r
0" | nc 127.0.0.1 8801

Expected result:
----------------
No segfault

Actual result:
--------------
(gdb) run -S 127.0.0.1:8801
Starting program: /usr/bin/php5 -S 127.0.0.1:8801
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
PHP 5.5.4-1+debphp.org~raring+1 Development Server started at Wed Oct  2 20:52:35 2013
Listening on http://127.0.0.1:8801
Document root is /var/www
Press Ctrl-C to quit.
[Wed Oct  2 20:52:37 2013] 127.0.0.1:42191 Invalid request (Unexpected EOF)
*** Error in `/usr/bin/php5': free(): invalid next size (fast): 0x089f8658 ***

Program received signal SIGSEGV, Segmentation fault.
0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081
4081	malloc.c: No such file or directory.
(gdb) bt
#0  0xb783c8a0 in malloc_consolidate (av=av@entry=0xb7975440 <main_arena>) at malloc.c:4081
#1  0xb783db73 in _int_malloc (av=av@entry=0xb7975440 <main_arena>, bytes=bytes@entry=630) at malloc.c:3358
#2  0xb7840682 in __libc_calloc (n=630, elem_size=1) at malloc.c:3169
#3  0xb7fe8931 in _dl_new_object (realname=realname@entry=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", libname=libname@entry=0xb792e605 "libgcc_s.so.1", 
    type=type@entry=2, loader=loader@entry=0x0, mode=mode@entry=-1879048191, nsid=nsid@entry=0) at dl-object.c:76
#4  0xb7fe4520 in _dl_map_object_from_fd (name=name@entry=0xb792e605 "libgcc_s.so.1", fd=10, fbp=fbp@entry=0xbfffd0ec, 
    realname=0x89f85f0 "/lib/i386-linux-gnu/libgcc_s.so.1", loader=loader@entry=0x0, l_type=l_type@entry=2, mode=mode@entry=-1879048191, 
    stack_endp=stack_endp@entry=0xbfffd0e8, nsid=nsid@entry=0) at dl-load.c:1053
#5  0xb7fe6449 in _dl_map_object (loader=0x0, loader@entry=0xb7979000, name=name@entry=0xb792e605 "libgcc_s.so.1", type=type@entry=2, 
    trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048191, nsid=0) at dl-load.c:2606
#6  0xb7ff1075 in dl_open_worker (a=a@entry=0xbfffd48c) at dl-open.c:228
#7  0xb7fed05e in _dl_catch_error (objname=objname@entry=0xbfffd484, errstring=errstring@entry=0xbfffd488, mallocedp=mallocedp@entry=0xbfffd483, 
    operate=operate@entry=0xb7ff0f40 <dl_open_worker>, args=args@entry=0xbfffd48c) at dl-error.c:177
#8  0xb7ff0af4 in _dl_open (file=0xb792e605 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0xb78ccc38 <init+40>, nsid=-2, argc=3, argv=0xbffff2e4, 
    env=0x8897008) at dl-open.c:656
#9  0xb78f0711 in do_dlopen (ptr=ptr@entry=0xbfffd630) at dl-libc.c:87
#10 0xb7fed05e in _dl_catch_error (objname=0xbfffd608, errstring=0xbfffd60c, mallocedp=0xbfffd607, operate=0xb78f06b0 <do_dlopen>, args=0xbfffd630)
    at dl-error.c:177
#11 0xb78f0807 in dlerror_run (operate=operate@entry=0xb78f06b0 <do_dlopen>, args=args@entry=0xbfffd630) at dl-libc.c:46
#12 0xb78f0897 in __GI___libc_dlopen_mode (name=name@entry=0xb792e605 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#13 0xb78ccc38 in init () at ../sysdeps/i386/backtrace.c:43
#14 0xb77b6dae in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/i386/pthread_once.S:120
#15 0xb78ccea5 in __GI___backtrace (array=array@entry=0xbfffd880, size=size@entry=64) at ../sysdeps/i386/backtrace.c:120
#16 0xb7831ad1 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0xb7934530 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:178
#17 0xb783c7e2 in malloc_printerr (action=<optimized out>, str=<optimized out>, ptr=0x89f8658) at malloc.c:4902
#18 0xb783d530 in _int_free (av=0xb7975440 <main_arena>, p=0x89f8650, have_lock=0) at malloc.c:3758
#19 0x08415c04 in php_cli_server_request_dtor (req=0x89f8484) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1328
#20 php_cli_server_client_dtor (client=0x89f8440) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1768
#21 php_cli_server_client_dtor_wrapper (p=0x89f85a4) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2109
#22 0x08366a98 in zend_hash_del_key_or_index (ht=ht@entry=0x88929ac <server+556>, arKey=arKey@entry=0x0, nKeyLength=nKeyLength@entry=0, h=<optimized out>, 
    flag=flag@entry=1) at /build/buildd/php5-5.5.4+dfsg/Zend/zend_hash.c:532
#23 0x08415cc8 in php_cli_server_close_connection (server=server@entry=0x8892780 <server>, client=0x89f8440)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:1785
#24 0x0841909e in php_cli_server_recv_event_read_request (server=0x8892780 <server>, client=0x89f8440)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2234
#25 0x08419590 in php_cli_server_do_event_for_each_fd_callback (_params=_params@entry=0xbfffe064, fd=fd@entry=9, event=event@entry=1)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2331
#26 0x08419f3c in php_cli_server_poller_iter_on_active (opaque=0xbfffe064, poller=<optimized out>, callback=<optimized out>)
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:838
#27 php_cli_server_do_event_for_each_fd (server=<optimized out>, rhandler=<optimized out>, whandler=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2352
#28 php_cli_server_do_event_loop (server=<optimized out>) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2362
#29 do_cli_server (argc=argc@entry=3, argv=argv@entry=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli_server.c:2463
#30 0x080990fb in main (argc=3, argv=0x8897e20) at /build/buildd/php5-5.5.4+dfsg/sapi/cli/php_cli.c:1381

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-02 18:56 UTC] ysangkok at gmail dot com 
The second line of the test script needs an ampersand at the end!
 [2013-10-02 18:57 UTC] aharvey@php.net
-Package: Unknown/Other Function +Package: Built-in web server
 [2013-10-02 19:16 UTC] aharvey@php.net
-Status: Open +Status: Verified
 [2013-10-02 19:16 UTC] aharvey@php.net 
Verified on current 5.4, 5.5 and master builds.
 [2013-10-05 15:53 UTC] felipe@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)
 [2013-10-05 15:53 UTC] felipe@php.net
-Status: Verified +Status: Closed
 [2013-10-07 11:51 UTC] ab@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)
 [2014-10-07 23:16 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)
 [2014-10-07 23:28 UTC] stas@php.net 
Automatic comment on behalf of felipensp@gmail.com
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=3aaee86ee33af276d2e879f5a645cc6dc850de22
Log: - Fixed bug #65818 (Segfault with built-in webserver and chunked transfer encoding)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC