php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66112 Use after free condition in SOAP extension (segfault)
Submitted: 2013-11-18 12:52 UTC Modified: 2013-11-24 10:13 UTC
From: martin dot koegler at brz dot gv dot at Assigned: dmitry (profile)
Status: Closed Package: SOAP related
PHP Version: 5.5.6 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: martin dot koegler at brz dot gv dot at
New email:
PHP Version: OS:

 

 [2013-11-18 12:52 UTC] martin dot koegler at brz dot gv dot at 
Description:
------------
do_soap_call (ext/soap/soap.c) saves the values of SOAP_GLOBAL(typemap) (and other variables) and overrides them.
After doing its work, it restores the old values.
If the code in between invokes zend_bailout (eg. because of an error/exception), the zend_bailout is catched after the restore of the values. So SOAP_GLOBAL(typemap) is not restored. 

The remaining code executes using a invalid, potential freed typemap.


Actual result:
--------------
Segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-18 12:53 UTC] martin dot koegler at brz dot gv dot at 
Workaround:
--- php-5.5.5/ext/soap/soap.c.orig      2013-11-15 16:08:13.298600954 +0100
+++ php-5.5.5/ext/soap/soap.c   2013-11-15 17:21:04.504212497 +0100
@@ -2702,6 +2702,7 @@
                SOAP_GLOBAL(features) = 0;
        }

+        zend_try {
        if (sdl != NULL) {
                fn = get_function(sdl, function);
                if (fn != NULL) {
@@ -2811,6 +2812,9 @@
                MAKE_COPY_ZVAL(&return_value, exception);
                zend_throw_exception_object(exception TSRMLS_CC);
        }
+        } zend_catch {
+            _bailout = 1;
+        } zend_end_try();

        if (SOAP_GLOBAL(encoding) != NULL) {
                xmlCharEncCloseFunc(SOAP_GLOBAL(encoding));
@@ -2820,6 +2824,8 @@
        SOAP_GLOBAL(class_map) = old_class_map;
        SOAP_GLOBAL(encoding) = old_encoding;
        SOAP_GLOBAL(sdl) = old_sdl;
+       if (_bailout)
+               zend_bailout();
        SOAP_CLIENT_END_CODE();
 }
 [2013-11-18 12:55 UTC] martin dot koegler at brz dot gv dot at 
test1.php:
<?php
function Mist($p)
{
$client=new soapclient("test.wsdl", array('typemap'=>array(array("type_ns"=>"uri:mist", "type_name"=>"A"))));
try{
    $client->Mist(array("XX"=>"xx"));
}catch(SoapFault $x){}
return array("A"=>"ABC","B"=>"sss");
}

$s = new SoapServer("test.wsdl", array('typemap'=>array(array("type_ns"=>"uri:mist", "type_name"=>"A"))));
$s->addFunction("Mist");
$_SERVER["REQUEST_METHOD"] = "POST";
$HTTP_RAW_POST_DATA=<<<EOF
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:uri="uri:mist">
   <soapenv:Header/>
   <soapenv:Body>
      <uri:Request><uri:A>XXX</uri:A><uri:B>yyy</uri:B></uri:Request>
   </soapenv:Body>
</soapenv:Envelope>
EOF;
$s->handle($HTTP_RAW_POST_DATA);
?>
 [2013-11-18 12:58 UTC] martin dot koegler at brz dot gv dot at 
Sorry, the wsdl is recognized as spam.

test.wsdl - Part 1:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:tns="uri:mist" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="test" targetNamespace="uri:mist">
  <wsdl:types>
    <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:mist">
      <xs:complexType name="T1">
        <xs:sequence>
          <xs:element name="A" type="xsd:string"/><xs:element name="B" type="xsd:string"/>
        </xs:sequence>
      </xs:complexType>
      <xs:element name="Request" type="tns:T1"/><xs:element name="Response" type="tns:T1"/>
    </xs:schema>
  </wsdl:types>
 [2013-11-18 12:59 UTC] martin dot koegler at brz dot gv dot at 
test.wsdl part 2:
  <wsdl:message name="Request">
    <wsdl:part name="Request" element="tns:Request"/>
  </wsdl:message>
  <wsdl:message name="Response">
    <wsdl:part name="Response" element="tns:Response"/>
  </wsdl:message>
  <wsdl:portType name="test">
    <wsdl:operation name="Mist">
      <wsdl:input message="tns:Request"/>
      <wsdl:output message="tns:Response"/>
    </wsdl:operation>
  </wsdl:portType>
  <wsdl:binding name="test" type="tns:test">
    <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    <wsdl:operation name="Mist">
      <soap:operation soapAction="Mist"/>
      <wsdl:input>
        <soap:body use="literal"/>
      </wsdl:input>
      <wsdl:output>
        <soap:body use="literal"/>
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>
  <wsdl:service name="test">
    <wsdl:port name="test" binding="tns:test">
      <soap:address location="http://127.0.0.1:81/mist.php"/>
    </wsdl:port>
  </wsdl:service>
</wsdl:definitions>
 [2013-11-24 10:13 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2013-12-10 13:59 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=552e8b2b4c5708cb90faf148bd99e3f67fa926b5
Log: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at)
 [2013-12-10 13:59 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-12-10 18:47 UTC] ab@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=552e8b2b4c5708cb90faf148bd99e3f67fa926b5
Log: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC