php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69293 NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)
Submitted: 2015-03-25 00:06 UTC Modified: 2015-03-27 10:21 UTC
From: andre at tomt dot net Assigned: laruence
Status: Closed Package: SOAP related
PHP Version: 5.5Git-2015-03-24 (Git) OS: Linux Ubuntu 14.04 x86_64
Private report: No CVE-ID:
 [2015-03-25 00:06 UTC] andre at tomt dot net
Description:
------------
SoapClient segfaults php in 5.5.23 and 5.6.7. 5.5.22 and 5.6.6 are OK. Current PHP-5.5 branch git checkouts still segfaults.

Git bisect found the following commit to be causing the problem:
https://github.com/php/php-src/commit/c8eaca013a3922e8383def6158ece2b63f6ec483
"Added type checks"

To reproduce, configure php with ./configure --disable-all --enable-cli --enable-soap --enable-libxml and run the linked test script using the cli sapi.
 
Note the script is not meant to actually work, the demo webservice does not accept the extra header. I just failed to find a public web service using extra headers to demo the problem and I could not expose the internal service that uses them. But segfault is the same.

master (7.x) does not segfault but seems to have some other issue with this code or wsdl but I have not investigated that further.


Test script:
---------------
<?php
// Create Security header
$secns = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
$token = new stdClass;
$token->Username = new SOAPVar('bugs_php_net_test', XSD_STRING, null, null, null, $secns);
$token->Password = new SOAPVar('bugs_php_net_test', XSD_STRING, null, null, null, $secns);
$wsec = new stdClass;
$wsec->UsernameToken = new SoapVar($token, SOAP_ENC_OBJECT, null, null, null, $secns);
$headers = new SOAPHeader($secns, 'Security', $wsec, true);

// Go go go
$client = new SoapClient("http://www.webservicex.net/periodictable.asmx?WSDL", array('exceptions' => true, 'trace' => 1));
$client->__setSOAPHeaders($headers);
$client->GetAtomicNumber(array('ElementName' => 'Vanadium'));

Expected result:
----------------
Expected output would be a fatal SoapFault

Fatal error: Uncaught SoapFault exception: [soap:MustUnderstand] System.Web.Services.Protocols.SoapHeaderException: SOAP header Security was not understood.

Actual result:
--------------
Starting program: /home/atomt/temp/php5-bisect/php-5.5.23/sapi/cli/php ~/temp/php5-bisect/test.php

Program received signal SIGSEGV, Segmentation fault.
0x00000000004aaca2 in master_to_xml_int (encode=0xa0abb8 <defaultEncoding+504>, data=data@entry=0x7ffff7fcc160, style=style@entry=2, parent=parent@entry=0xb4a2f0, 
    check_class_map=check_class_map@entry=1) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:467
467			    Z_TYPE_PP(zname) == IS_STRING) {
(gdb) bt
#0  0x00000000004aaca2 in master_to_xml_int (encode=0xa0abb8 <defaultEncoding+504>, data=data@entry=0x7ffff7fcc160, style=style@entry=2, parent=parent@entry=0xb4a2f0, 
    check_class_map=check_class_map@entry=1) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:467
#1  0x00000000004ac8a5 in master_to_xml (parent=0xb4a2f0, style=2, data=0x7ffff7fcc160, encode=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:539
#2  to_xml_object (type=0xa0b6e0 <defaultEncoding+3360>, data=0x7ffff7fca528, style=2, parent=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:2070
#3  0x00000000004aa8c6 in master_to_xml_int (encode=0xa0b6e0 <defaultEncoding+3360>, data=0x7ffff7fca528, style=2, parent=0xb4a250, check_class_map=<optimized out>)
    at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:528
#4  0x00000000004aac0d in master_to_xml_int (encode=0xa0abb8 <defaultEncoding+504>, data=data@entry=0x7ffff7fcb1a8, style=style@entry=2, parent=parent@entry=0xb4a250, 
    check_class_map=check_class_map@entry=1) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:447
#5  0x00000000004ac8a5 in master_to_xml (parent=0xb4a250, style=2, data=0x7ffff7fcb1a8, encode=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:539
#6  to_xml_object (type=0xa0abb8 <defaultEncoding+504>, data=0x7ffff7fcc280, style=2, parent=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:2070
#7  0x00000000004aa8c6 in master_to_xml_int (encode=0xa0abb8 <defaultEncoding+504>, data=0x7ffff7fcc280, style=2, parent=0xb49ea0, check_class_map=<optimized out>)
    at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:528
#8  0x00000000004aa8c6 in master_to_xml_int (encode=0xa0a9c0 <defaultEncoding>, encode@entry=0x0, data=0x7ffff7fcc280, style=style@entry=2, parent=parent@entry=0xb49ea0, 
    check_class_map=check_class_map@entry=1) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:528
#9  0x00000000004ab05b in master_to_xml (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0xb49ea0)
    at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/php_encoding.c:539
#10 0x000000000049fac5 in serialize_function_call (this_ptr=<optimized out>, function=<optimized out>, function_name=<optimized out>, uri=<optimized out>, arguments=<optimized out>, 
    arg_count=<optimized out>, version=1, soap_headers=0x7ffff7fce2e8) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/soap.c:4377
#11 0x00000000004a563d in do_soap_call (this_ptr=0x7ffff7fcb22b, this_ptr@entry=0x7ffff7fcb728, function=0x708351 "Wrong 'typemap' option", arg_count=11, arg_count@entry=1, 
    real_args=0x736e65 <ht_bucket_html4_076+5>, real_args@entry=0x0, return_value=0x4, return_value@entry=0x7ffff7fd0568, 
    location=0x652fb767fe9 <error: Cannot access memory at address 0x652fb767fe9>, location@entry=0x7ffff7fce2e8 "\b", soap_action=0x0, call_uri=0x0, soap_headers=0x7ffff7fce2e8, 
    output_headers=0x0, function_len=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/soap.c:2719
#12 0x00000000004a5dea in zim_SoapClient___call (ht=<optimized out>, return_value=0x7ffff7fd0568, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fcb728, 
    return_value_used=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/ext/soap/soap.c:2943
#13 0x00000000005bde78 in zend_call_function (fci=0x7fffffffa160, fci_cache=0x7fffffffa130) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend_execute_API.c:952
#14 0x00000000005e339f in zend_call_method (object_pp=object_pp@entry=0x7fffffffa218, obj_ce=<optimized out>, obj_ce@entry=0xac8060, fn_proxy=fn_proxy@entry=0xac81b8, 
    function_name=function_name@entry=0x708cb7 "__call", function_name_len=function_name_len@entry=6, retval_ptr_ptr=retval_ptr_ptr@entry=0x7fffffffa230, param_count=2, 
    arg1=0x7ffff7fd0370, arg2=0x7ffff7fce370) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend_interfaces.c:97
#15 0x00000000005ef734 in zend_std_call_user_call (ht=<optimized out>, return_value=0x7ffff7fce0c8, return_value_ptr=<optimized out>, this_ptr=0x7ffff7fcb728, 
    return_value_used=<optimized out>) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend_object_handlers.c:899
#16 0x00000000006818b7 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f954c0) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend_vm_execute.h:550
#17 0x00000000005f69a8 in execute_ex (execute_data=0x7ffff7f954c0) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend_vm_execute.h:363
#18 0x00000000005ccfed in zend_execute_scripts (type=8, retval=0x708351, retval@entry=0x0, file_count=3) at /home/atomt/temp/php5-bisect/php-5.5.23/Zend/zend.c:1327
#19 0x000000000056b350 in php_execute_script (primary_file=0x7fffffffc7e0) at /home/atomt/temp/php5-bisect/php-5.5.23/main/main.c:2525
#20 0x0000000000683a57 in do_cli (argc=-134434261, argv=0x708351) at /home/atomt/temp/php5-bisect/php-5.5.23/sapi/cli/php_cli.c:994
#21 0x000000000041fee4 in main (argc=-134434261, argv=0x708351) at /home/atomt/temp/php5-bisect/php-5.5.23/sapi/cli/php_cli.c:1378


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-25 00:07 UTC] andre at tomt dot net
-Operating System: Linux Ubuntu 14.04 +Operating System: Linux Ubuntu 14.04 x86_64
 [2015-03-25 00:07 UTC] andre at tomt dot net
Adding platform
 [2015-03-25 05:19 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2015-03-25 05:19 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2015-03-25 09:51 UTC] kaplan@php.net
Please also apply to PHP-5.4 branch.
 [2015-03-25 18:00 UTC] andre at tomt dot net
Confirming the fix returns things to a working state for 5.5

Thanks
 [2015-03-26 15:13 UTC] vlajos at gmail dot com
We have something similar...
The original test script fails on this system:

# php -v
PHP 5.4.39 (cli) (built: Mar 20 2015 08:09:55)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.11 (Tikanga)

(gdb) bt
#0  0x00002af73124a073 in master_to_xml_int (encode=0x2af731479d78, data=0x2af729fbc810, style=2, parent=0x1abd9f30, check_class_map=<value optimized out>)
    at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:466
#1  0x00002af73124db52 in to_xml_object (type=0x2af73147a8a0, data=0x2af729fba9f8, style=2, parent=<value optimized out>) at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:2070
#2  0x00002af731249c84 in master_to_xml_int (encode=0x2af73147a8a0, data=0x2af729fba9f8, style=2, parent=0x1abd9e90, check_class_map=704362160)
    at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:528
#3  0x00002af731249fc9 in master_to_xml_int (encode=0x2af731479d78, data=0x2af729fbb680, style=2, parent=0x1abd9e90, check_class_map=1)
    at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:447
#4  0x00002af73124db52 in to_xml_object (type=0x2af731479d78, data=0x2af729fbc930, style=2, parent=<value optimized out>) at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:2070
#5  0x00002af731249c84 in master_to_xml_int (encode=0x2af731479d78, data=0x2af729fbc930, style=2, parent=0x1abd9ae0, check_class_map=704362160)
    at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:528
#6  0x00002af731249c84 in master_to_xml_int (encode=0x2af731479b80, data=0x2af729fbc930, style=2, parent=0x1abd9ae0, check_class_map=704362160)
    at /usr/src/debug/php-5.4.39/ext/soap/php_encoding.c:528
#7  0x00002af731238e7b in serialize_function_call (this_ptr=0x2af729fc0c58, function=0x2af729fc44a8, function_name=<value optimized out>, uri=<value optimized out>, 
    arguments=0x2af729fc0c50, arg_count=1, version=1, soap_headers=0x2af729fbe998) at /usr/src/debug/php-5.4.39/ext/soap/soap.c:4358
#8  0x00002af731242e6b in do_soap_call (this_ptr=0x2af729fbbc00, function=0x2af729fc5f30 "GetAtomicNumber", function_len=<value optimized out>, arg_count=1, real_args=0x2af729fc0c50, 
    return_value=0x2af729fc5fd8, location=0x2af729fc3a20 "http://www.webservicex.net/periodictable.asmx", soap_action=0x0, call_uri=0x0, soap_headers=0x2af729fbe998, output_headers=0x0)
    at /usr/src/debug/php-5.4.39/ext/soap/soap.c:2708
#9  0x00002af7312438f3 in zim_SoapClient___call (ht=<value optimized out>, return_value=0x2af729fc5fd8, return_value_ptr=<value optimized out>, this_ptr=0x2af729fbbc00, 
    return_value_used=<value optimized out>) at /usr/src/debug/php-5.4.39/ext/soap/soap.c:2924
#10 0x00000000005ca7cc in zend_call_function (fci=0x7fff6a71e190, fci_cache=0x7fff6a71e1e0) at /usr/src/debug/php-5.4.39/Zend/zend_execute_API.c:978
#11 0x00000000005eed0f in zend_call_method (object_pp=0x7fff6a71e2b0, obj_ce=0x1abbddc0, fn_proxy=0x1abbdf18, function_name=0x6e3bcb "__call", function_name_len=6, 
    retval_ptr_ptr=0x7fff6a71e2c0, param_count=2, arg1=0x2af729fc5f00, arg2=0x2af729fbea20) at /usr/src/debug/php-5.4.39/Zend/zend_interfaces.c:97
#12 0x00000000005fcd0d in zend_std_call_user_call (ht=<value optimized out>, return_value=0x2af729fbe778, return_value_ptr=<value optimized out>, this_ptr=0x2af729fbbc00, 
    return_value_used=<value optimized out>) at /usr/src/debug/php-5.4.39/Zend/zend_object_handlers.c:893
#13 0x000000000060659a in zend_do_fcall_common_helper_SPEC (execute_data=0x2af729f88060) at /usr/src/debug/php-5.4.39/Zend/zend_vm_execute.h:643
#14 0x000000000060c3ce in execute (op_array=0x2af729fbb2b8) at /usr/src/debug/php-5.4.39/Zend/zend_vm_execute.h:410
#15 0x00000000005d6bfe in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/src/debug/php-5.4.39/Zend/zend.c:1329
#16 0x000000000057c2e8 in php_execute_script (primary_file=0x7fff6a720a50) at /usr/src/debug/php-5.4.39/main/main.c:2502
#17 0x000000000067eccd in do_cli (argc=2, argv=0x7fff6a721d88) at /usr/src/debug/php-5.4.39/sapi/cli/php_cli.c:989
#18 0x000000000067f64d in main (argc=2, argv=0x7fff6a721d88) at /usr/src/debug/php-5.4.39/sapi/cli/php_cli.c:1365
 [2015-03-27 09:09 UTC] vlajos at gmail dot com
Could you please reopen this? Or should I create a similar one for the 5.4 versions?
 [2015-03-27 10:21 UTC] requinix@php.net
As of a few months ago, 5.4 is only intended to get security fixes.
http://php.net/supported-versions.php
 [2015-03-27 13:35 UTC] karl at debisschop dot net
requinix - it seems the problem is that a security fix has broken the SOAP module because the applied patch had a flaw. It's not about making changes to 5.4 -- it's about making changes to the flaws in the security patch. Is there no room to fix the patch or are we to make the SOAP system potentially unusable because policy prohibits us from applying a corrected patch?
 [2015-03-27 15:43 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75f40ae1f3a7ca837d230f099627d121f9b3a32f
Log: Fixed bug #69293
 [2015-04-06 00:38 UTC] stas@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=75f40ae1f3a7ca837d230f099627d121f9b3a32f
Log: Fixed bug #69293
 [2015-04-10 06:37 UTC] ks dot sundarajan at capgemini dot com
Hello,

Can you please tell us in version of php is this fix available? Is this fix released?

Thanks,
Sundar
 [2015-04-22 16:23 UTC] kaplan@php.net
5.4.40, 5.5.24, 5.6.8
 [2015-10-08 13:17 UTC] sergiopaternoster73 at gmail dot com
It seems this problem happens to php7.0.0RC4 as well. Same script. Note the problem *DOES NOT* happen on php7.0.0RC3

Core was generated by `/usr/local/php/7.0.0RC4/bin/php -q ./tmp/sfdc.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000052c510 in zend_string_realloc (s=0x0, len=665, persistent=0) at /home/edsradmin/software/php-7.0.0RC4/Zend/zend_string.h:185
185             if (!ZSTR_IS_INTERNED(s)) {
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 14:01:37 2017 UTC