php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69395 Segmentation fault, possibly in php-ldap
Submitted: 2015-04-07 15:15 UTC Modified: 2015-04-13 07:21 UTC
From: come dot bernigaud at opensides dot be Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.6.7 OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: come dot bernigaud at opensides dot be
New email:
PHP Version: OS:

 

 [2015-04-07 15:15 UTC] come dot bernigaud at opensides dot be
Description:
------------
Hello, running Debian Jessie which includes php 5.6.7+dfsg-1, I get a segfault while using FusionDirectory, the same code does not segfault on Debian Wheezy which has an older version of PHP.

Expected result:
----------------
No segfault

Actual result:
--------------
#0  0xb7d9ea77 in _int_malloc (av=av@entry=0xb7ed1420 <main_arena>, bytes=bytes@entry=4060) at malloc.c:3302
#1  0xb7da0b31 in __GI___libc_malloc (bytes=4060) at malloc.c:2891
#2  0xb7243971 in ber_memalloc_x () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#3  0xb7243aea in ber_memrealloc_x () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#4  0xb72420ad in ber_realloc () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#5  0xb72411f6 in ?? () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#6  0xb7241ccc in ber_printf () from /usr/lib/i386-linux-gnu/liblber-2.4.so.2
#7  0xb6f4e66d in ldap_build_search_req () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#8  0xb6f4ec8f in ldap_search () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#9  0xb6f4ee39 in ldap_search_s () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#10 0xb5186bed in php_ldap_do_search (ht=-2144099600, return_value=0xfdc, scope=1, return_value_used=<optimized out>, this_ptr=<optimized out>, 
    return_value_ptr=<optimized out>) at /build/php5-truQYy/php5-5.6.7+dfsg/ext/ldap/ldap.c:798
#11 0xb6314340 in execute_internal (execute_data_ptr=0x83fff508, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#12 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff508, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#13 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#14 0xb629e267 in execute_ex (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#15 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff508) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#16 0xb6316164 in zend_execute (op_array=0x803a0bb8) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#17 0xb624f3db in zend_call_function (fci=0xbf802648, fci_cache=0xbf802634) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute_API.c:829
#18 0xb60dab04 in zim_reflection_method_invokeArgs (ht=2, return_value=0x8406a2a4, return_value_ptr=0x83fff434, this_ptr=0x8039fbb0, return_value_used=1)
    at /build/php5-truQYy/php5-5.6.7+dfsg/ext/reflection/php_reflection.c:3045
#19 0xb6314340 in execute_internal (execute_data_ptr=0x83fff440, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#20 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff440, fci=0x0, return_value_used=1) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#21 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#22 0xb629e267 in execute_ex (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#23 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff440) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#24 0xb6316164 in zend_execute (op_array=0x803a7aac) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#25 0xb624f3db in zend_call_function (fci=0xbf802978, fci_cache=0xbf802964) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute_API.c:829
#26 0xb627793f in zend_call_method (object_pp=0xbf8029f8, obj_ce=<optimized out>, fn_proxy=0x803a7a2c, function_name=0xb66a3943 "__call", function_name_len=6, 
    retval_ptr_ptr=0xbf802a08, param_count=2, arg1=0x8406982c, arg2=0x84069d8c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_interfaces.c:97
#27 0xb6287a74 in zend_std_call_user_call (ht=3, return_value=0x8406a01c, return_value_ptr=0x83fff360, this_ptr=0x84069aec, return_value_used=0)
    at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_object_handlers.c:931
#28 0xb6314340 in execute_internal (execute_data_ptr=0x83fff36c, fci=0x0, return_value_used=0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_execute.c:1527
#29 0xb624d51e in dtrace_execute_internal (execute_data_ptr=0x83fff36c, fci=0x0, return_value_used=0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#30 0xb6318414 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#31 0xb629e267 in execute_ex (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#32 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff36c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#33 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#34 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#35 0xb629e267 in execute_ex (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#36 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff288) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#37 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#38 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#39 0xb629e267 in execute_ex (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#40 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff1a4) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#41 0xb6316164 in zend_execute (op_array=0x8033ae7c) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:388
#42 0xb6318902 in zend_do_fcall_common_helper_SPEC (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#43 0xb629e267 in execute_ex (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#44 0xb624d37f in dtrace_execute_ex (execute_data=0x83fff0c0) at /build/php5-truQYy/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-07 17:38 UTC] aharvey@php.net
-Package: *General Issues +Package: LDAP related
 [2015-04-09 10:27 UTC] come dot bernigaud at opensides dot be
The problem seems linked to an infinite loop caused by ldap_list returning its search base in the results. This should not be possible as ldap_list is supposed to «Performs the search for a specified filter on the directory with the scope LDAP_SCOPE_ONELEVEL» and the search base is not in the ONELEVEL scope.

I checked with this minimal code.
<?php
$host = 'localhost';
$port = '389';
$binddn = 'cn=admin,dc=mcmic,dc=test';
$bindpw = 'pwd';

$cid = ldap_connect($host, $port);
ldap_set_option($cid, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($cid, $binddn, $bindpw);
$res = ldap_list($cid, 'ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test', '(objectClass=FAIbranch)', array('dn'));
print_r(ldap_error($cid)."\n");

echo "\nResults:\n";
print_r(ldap_count_entries($cid, $res)."\n");
$entry = ldap_first_entry($cid, $res);
if ($entry) {
  print_r(ldap_get_dn($cid, $entry));
}
I get:
Success

Results:
1
ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test

But with the same request by ldap search:
# ldapsearch -xLLL -s one -b ou=wheezy,ou=debian,ou=fai,ou=configs,ou=systems,dc=mcmic,dc=test objectClass=FAIBranch
I get nothing.

The weird thing is I do not get the same behaviour with other bases.
 [2015-04-09 10:55 UTC] come dot bernigaud at opensides dot be
Using normal auth instead of -xLLL, I DO get the same result with ldapsearch, so the error may not be in PHP after all
 [2015-04-13 07:21 UTC] come dot bernigaud at opensides dot be
-Status: Open +Status: Closed
 [2015-04-13 07:21 UTC] come dot bernigaud at opensides dot be
The error was in openldap and not in PHP
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 19:03:46 2022 UTC