php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65936 dangling context pointer causes crash
Submitted: 2013-10-21 10:52 UTC Modified: 2013-10-21 10:53 UTC
From: tony2001@php.net Assigned: tony2001
Status: Closed Package: Reproducible crash
PHP Version: 5.5Git-2013-10-21 (Git) OS: *
Private report: No CVE-ID:
 [2013-10-21 10:52 UTC] tony2001@php.net
Description:
------------
Pointer to stream context is not cleared in persistent stream struct, which results in a crash when re-using that stream.

Test script:
---------------
<?php

function connect($host, $port, $timeout = 1) {
        $conn_str = "tcp://{$host}:{$port}";
            $opts = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT | STREAM_CLIENT_PERSISTENT;
            $sock = stream_socket_client($conn_str, $errno, $errstr, $timeout, $opts);
                return $sock;
}

$sock = connect("google.com", 80);

$req = "GET / HTTP/1.0\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n";

$len = fwrite($sock, $req);

$data = stream_get_contents($sock);

echo $data;

Expected result:
----------------
No crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000764140 in php_stream_context_get_option (context=0x7fd70dd833f8, wrappername=0xbe6fae "socket", optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at /local/git/php-src/main/streams/streams.c:2219
2219            if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options), (char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) {
(gdb) bt
#0  0x0000000000764140 in php_stream_context_get_option (context=0x7fd70dd833f8, wrappername=0xbe6fae "socket", optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at /local/git/php-src/main/streams/streams.c:2219
#1  0x0000000000773725 in php_tcp_sockop_connect (stream=0x10e2840, sock=0x10e08b0, xparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:656
#2  0x0000000000773bc4 in php_tcp_sockop_set_option (stream=0x10e2840, option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:757
#3  0x0000000000761a76 in _php_stream_set_option (stream=0x10e2840, option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/streams.c:1353
#4  0x000000000077196e in php_stream_xport_connect (stream=0x10e2840, name=0x7fd70dd7fc9e "google.com:80", namelen=13, asynchronous=1, 
    timeout=0x7fff2c7b19e0, error_text=0x7fff2c7b18e0, error_code=0x7fff2c7b19d4) at /local/git/php-src/main/streams/transports.c:243
#5  0x00000000007713fb in _php_stream_xport_create (name=0x7fd70dd7fc9e "google.com:80", namelen=13, options=8, flags=18, 
    persistent_id=0x7fd70dd82da8 "stream_socket_client__tcp://google.com:80", timeout=0x7fff2c7b19e0, context=0x7fd70dd833f8, error_string=0x7fff2c7b19c0, 
    error_code=0x7fff2c7b19d4, __php_stream_call_depth=0, __zend_filename=0xbdf140 "/local/git/php-src/ext/standard/streamsfuncs.c", __zend_lineno=134, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /local/git/php-src/main/streams/transports.c:143
#6  0x0000000000726d3b in zif_stream_socket_client (ht=5, return_value=0x7fd70dd81690, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
    at /local/git/php-src/ext/standard/streamsfuncs.c:131
#7  0x0000000000816f6e in zend_do_fcall_common_helper_SPEC (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:550
#8  0x000000000081b868 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:2329
#9  0x000000000081665f in execute_ex (execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:363
#10 0x00000000008166e7 in zend_execute (op_array=0x7fd70dd7fd78) at /local/git/php-src/Zend/zend_vm_execute.h:388
#11 0x00000000007d8554 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /local/git/php-src/Zend/zend.c:1320
#12 0x00000000007452fe in php_execute_script (primary_file=0x7fff2c7b61a0) at /local/git/php-src/main/main.c:2489
#13 0x0000000000892bcf in main (argc=1, argv=0x7fff2c7b63c8) at /local/git/php-src/sapi/fpm/fpm/fpm_main.c:1933


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-10-21 10:53 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: tony2001
 [2013-10-21 11:10 UTC] tony2001@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b636c03426193ecf0b7e166126a14b70ce8185e9
Log: fix bug #65936 (dangling context pointer causes crash)
 [2013-10-21 11:10 UTC] tony2001@php.net
-Status: Assigned +Status: Closed
 [2013-11-17 09:30 UTC] laruence@php.net
Automatic comment on behalf of tony2001
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b636c03426193ecf0b7e166126a14b70ce8185e9
Log: fix bug #65936 (dangling context pointer causes crash)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC