php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70529 Session read causes "String is not zero-terminated" error
Submitted: 2015-09-18 22:13 UTC Modified: 2015-09-19 02:16 UTC
From: yohgaki@php.net Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 7.0Git-2015-09-18 (Git) OS: Linux
Private report: No CVE-ID:
 [2015-09-18 22:13 UTC] yohgaki@php.net
Description:
------------
While I was looking into this bug
https://bugs.php.net/bug.php?id=70520
I found mcrypt_decrypt() sometimes raises "String is not zero-terminated" error. It seems mcrypt_decrypt() returns broken data sometimes also. It makes session decode fail on occasion.

Warning:  String is not zero-terminated (�J?w�fr,�:v�handler) (source: /home/yohgaki/git/oss/php.net/php-src/Zend/zend_execute.c:2061) in /home/yohgaki/workspace/ext/git/oss/php.net/php-src/tt2.php on line 20

Warning:  session_start(): Failed to decode session object. Session has been destroyed in /home/yohgaki/workspace/ext/git/oss/php.net/php-src/tt2.php on line 38

Tested by CLI server. If I don't use mcrypt_decrypt/encrypt(), the test code will not raise errors.

Test script:
---------------
<?php
ob_start();
error_reporting(E_ALL | E_STRICT);
ini_set('session.save_path', '/tmp');
ini_set('display_errors', true);

class EncryptedSessionHandler extends SessionHandler
{
    private $key;

    public function __construct($key)
    {
        $this->key = $key;
    }

    public function read($id)
    {
        $data = parent::read($id);

        return mcrypt_decrypt(MCRYPT_3DES, $this->key, $data, MCRYPT_MODE_ECB);
		//return $data;
    }

    public function write($id, $data)
    {
        $data = mcrypt_encrypt(MCRYPT_3DES, $this->key, $data, MCRYPT_MODE_ECB);

        return parent::write($id, $data);
    }
}

ini_set('session.save_handler', 'files');
$key = substr(sha1(random_bytes(24)), 0, 24);
$handler = new EncryptedSessionHandler($key);
session_set_save_handler($handler, true);

echo '<pre>';
session_start();
$_SESSION['key'] = 1234;
var_dump($_SESSION);
echo session_id() . PHP_EOL;
session_regenerate_id(true);
echo session_id() . PHP_EOL;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-18 22:22 UTC] yohgaki@php.net
Although I don't see errors if I don't use mcrypt, session module may do something wrong in these lines

$data = parent::read($id);
return parent::write($id, $data);

I'll look into this. Could anyone look into mcrypt?
 [2015-09-19 02:16 UTC] yohgaki@php.net
-Summary: mcrypt_decrypt() call sometime results in "String is not zero-terminated" error +Summary: Session read causes "String is not zero-terminated" error -Status: Open +Status: Analyzed -Package: mcrypt related +Package: Session related -Assigned To: +Assigned To: yohgaki
 [2015-09-19 02:16 UTC] yohgaki@php.net
This bugs cause was in ext/session/mod_files.c
When zend_string is adopted, terminating null char was forgotten. This bug is only in PHP-7.0 and master. I'll commit the fix now.
 [2015-09-19 02:28 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f7cc862d763bcd3ca09f1164df8cdec929b75b9
Log: Fixed bug #70529 Session read causes &quot;String is not zero-terminated&quot; error
 [2015-09-19 02:28 UTC] yohgaki@php.net
-Status: Analyzed +Status: Closed
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f7cc862d763bcd3ca09f1164df8cdec929b75b9
Log: Fixed bug #70529 Session read causes &quot;String is not zero-terminated&quot; error
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f7cc862d763bcd3ca09f1164df8cdec929b75b9
Log: Fixed bug #70529 Session read causes &quot;String is not zero-terminated&quot; error
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 14:01:44 2017 UTC