php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69341 segfault when complex SoapHeader given - reproducable
Submitted: 2015-03-31 16:06 UTC Modified: 2015-03-31 20:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: wuerfl at it-wuerfl dot de Assigned:
Status: Not a bug Package: SOAP related
PHP Version: 5.5.23 OS: Linux (Ubuntu/Red Hat Santiago)
Private report: No CVE-ID: None
View Developer Edit
 [2015-03-31 16:06 UTC] wuerfl at it-wuerfl dot de 
Description:
------------
We have the bug under magento (but is a general bug), always when a complex SoapHeader is given, soap.so segfaults in PHP-FPM Module



Test script:
---------------
        $soapclient = new SoapClient($loggingSoapClientParameters);

$auth = array(
                        'UsernameToken'=> array('Username'=>$username,'Password'=>$password)
        );



        $ns = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd';
        $ns = 'http://example.com/';
        Mage::log($wsseAuthHeader);
        $auth = new SoapVar($auth, SOAP_ENC_ARRAY, NULL, $ns , NULL, $ns);

        $wsseAuthHeader = new SoapHeader($ns,'Security',$auth,true);
       


            $soapClient->__setSoapHeaders(array($wsseAuthHeader));

                $requestGetSecurityToken = new stdClass();
        $requestGetSecurityToken->UsesCount = 10;
        $parameter = array("request" => $requestGetSecurityToken);

        // execute the request
        $soapResponse = $soapClient->GetSecurityToken($parameter);

Expected result:
----------------
no segfault

Actual result:
--------------
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
master_to_xml_int (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x1110930, check_class_map=check_class_map@entry=1)
    at /usr/src/php/ext/soap/php_encoding.c:466
466			if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS &&
(gdb) bt
#0  master_to_xml_int (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x1110930, check_class_map=check_class_map@entry=1)
    at /usr/src/php/ext/soap/php_encoding.c:466
#1  0x00007ffff0a31a3b in master_to_xml (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x1110930) at /usr/src/php/ext/soap/php_encoding.c:539
#2  0x00007ffff0a25ef8 in serialize_function_call (this_ptr=<optimized out>, function=<optimized out>, function_name=<optimized out>, uri=<optimized out>, arguments=<optimized out>, 
    arg_count=<optimized out>, version=1, soap_headers=0x187a6d8) at /usr/src/php/ext/soap/soap.c:4377
#3  0x00007ffff0a2bf9d in do_soap_call (this_ptr=0x177c0bb, this_ptr@entry=0x178bf40, function=0x7ffff0a595e3 "O", arg_count=24625328, arg_count@entry=1, real_args=0x736e, real_args@entry=0x0, 
    return_value=0x4, return_value@entry=0x187a6d8, location=0x652fb767fe9 <error: Cannot access memory at address 0x652fb767fe9>, location@entry=0x0, soap_action=0x0, call_uri=0x0, 
    soap_headers=0x187a6d8, output_headers=0x0, function_len=<optimized out>) at /usr/src/php/ext/soap/soap.c:2719
#4  0x00007ffff0a2c779 in zim_SoapClient___call (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, this_ptr=0x178bf40, return_value_used=<optimized out>)
    at /usr/src/php/ext/soap/soap.c:2943
#5  0x00007ffff23e16e5 in xdebug_execute_internal (current_execute_data=0x7fffffff9b60, fci=0x7fffffff9ca0, return_value_used=1) at /tmp/xdebug/xdebug.c:1651
#6  0x00000000006de9b5 in zend_call_function ()
#7  0x000000000070314c in zend_call_method ()
#8  0x000000000070f1dd in zend_std_call_user_call ()
#9  0x00007ffff23e16e5 in xdebug_execute_internal (current_execute_data=0x7ffff7fa2670, fci=0x0, return_value_used=1) at /tmp/xdebug/xdebug.c:1651
#10 0x00000000007a2f8e in ?? ()
#11 0x0000000000715af0 in execute_ex ()
#12 0x00007ffff23e0dc2 in xdebug_execute_ex (execute_data=0x7ffff7fa2670) at /tmp/xdebug/xdebug.c:1526
#13 0x00000000007a33a7 in ?? ()
#14 0x0000000000715af0 in execute_ex ()
#15 0x00007ffff23e0dc2 in xdebug_execute_ex (execute_data=0x7ffff7fa2180) at /tmp/xdebug/xdebug.c:1526
#16 0x00000000006ed9c0 in zend_execute_scripts ()
#17 0x000000000068e908 in php_execute_script ()
#18 0x00000000007a4faf in ?? ()
#19 0x000000000042ddb7 in ?? ()
#20 0x00007ffff5a1eb45 in __libc_start_main (main=0x42d990, argc=2, argv=0x7fffffffdb78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb68)
    at libc-start.c:287
#21 0x000000000042def8 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-31 16:43 UTC] cmb@php.net 
Probably related to bug #69288 and bug #69293.
 [2015-03-31 16:47 UTC] wuerfl at it-wuerfl dot de 
i found the error source, please look in ext/soap/php_encoding.c 

in LINE 466 

		if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS &&
		    Z_TYPE_PP(zname) == IS_STRING) {

Should it be : Z_TYPE_PP(znamens) instead of zname?
 [2015-03-31 20:42 UTC] cmb@php.net
-Status: Open +Status: Not a bug
 [2015-03-31 20:42 UTC] cmb@php.net 
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

> Should it be : Z_TYPE_PP(znamens) instead of zname?

Yes, see bug #69288.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Nov 05 14:00:01 2025 UTC