PHP :: Bug #73524 :: segfault in scandir over ssh2

Bug #73524

segfault in scandir over ssh2

Submitted:

2016-11-15 09:25 UTC

Modified:

2018-11-24 17:44 UTC

Votes:	31
Avg. Score:	4.8 ± 0.5
Reproduced:	29 of 30 (96.7%)
Same Version:	24 (82.8%)
Same OS:	9 (31.0%)

From:

af at ins dot de

Assigned:

Status:

Closed

Package:

ssh2 (PECL)

PHP Version:

7.2.12

OS:

linux 4.4.27-gentoo

Private report:

CVE-ID:

None

View Developer Edit

[2016-11-15 09:25 UTC] af at ins dot de

Description:
------------
When using scandir() over a ssh2-stream scandir creates a segmentation fault.

We have tested this with libSSH2 1.7.0 and libSSH 1.8.0.

When we downgrade to PHP 5.6.27 (tested with libSSH2 1.7.0 and libSSH 1.8.0) the segmentation fault does not occur and the script works as expected.



Test script:
---------------
<?php
$ssh2 = ssh2_connect('ftp.yourdomain.de', 22);
if (!ssh2_auth_password($ssh2, 'yourusername','yourpassword')) {
  echo("auth error\n");
  exit();
}
$sftp = ssh2_sftp($ssh2);
$te='ssh2.sftp://'.$sftp.'/receive/';
echo('te='.$te."\n");

echo("before scandir!\n");
$files = scandir($te,SCANDIR_SORT_ASCENDING );
echo("after scandir!\n");

if ($files===false)
  echo("scandir error\n");
else
  echo("scandir success\n");



Expected result:
----------------
te=ssh2.sftp://Resource id #5/receive/
before scandir!
after scandir!
scandir success


Actual result:
--------------
te=ssh2.sftp://Resource id #5/receive/
before scandir!
Segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-16 16:15 UTC] portale at partyerleben dot de

I have got the same issue when using is_dir, dir and fopen.
- php 5.6.28
- php5-ssh2 1:0.12-2~dotdeb+7.1
- libSSH 1.4.2.-1.1+deb7u2

Downgrading to php 5.6.27 solves the problem as already described.
In addition to that I removed php5-ssh2 and installed ssh2 from pecl (v. 0.13). It causes no segmentation fault, but could not find the sftp-path with php 5.6.28. With version 5.6.27 it works fine.

[2016-11-16 16:28 UTC] jerome dot auge at anakeen dot com

Since upgrading to 5.6.28, I experience problems with mkdir("ssh2.sftp://$conn/$dir") and ssh2_sftp_mkdir($conn, $dir) calls always returning bool(false):

- mkdir("ssh2.sftp://$conn/$dir") returns bool(false), no error messages are printed on error_log, and the directory is not created.
- ssh2_sftp_mkdir($conn_sftp, $dir) returns bool(false), no error messages are printed on error_log, but the directory is correctly created.

Reverting to PHP 5.6.27 corrects these problems.

- Ubuntu   12.04
- PHP      5.6.28 (from Ondřej Surý)
- php-ssh2 0.13 (from Ondřej Surý)
- libssh2  1.2.8-2 (from Ubuntu)

[2016-11-18 07:45 UTC] liborm85 at gmail dot com

This bug is probably fixed in ssh2 Git, but not version released.

Commit in PHP 5 branch:
https://github.com/php/pecl-networking-ssh2/commit/093906ec1c065e86ad1cd4dabbc89b1ccae11938

Commit PHP 7 branch:
https://github.com/php/pecl-networking-ssh2/compare/fd0455499afd78fad552ea22f6697d9fee2a3d64...756e2f1369f2d5ff006222d978806f4fd91659e1

[2016-11-21 14:08 UTC] grossolini@php.net

In my case, the patch mentioned here fixed the problem with both v5.6.28 and v7.0.13.
Without the patch, opendir() on v5.6.27 and v7.0.12 worked fine, while v5.6.28 and v7.0.13 returned "false" without any error.

[2016-12-14 22:35 UTC] sistemas at consorcioabierto dot com

Same issue when using scandir() over a ssh2 stream.

- Debian 8
- PHP 5.6.28
- php5-ssh2 0.12-3
- libssh2 1.4.3-4.1+deb8u1

Downgrading php solves the problem.

[2016-12-15 09:47 UTC] ovoelker at wavecon dot de

this is a short note on downgrading PHP on Debian 8 with 5.6.28, because 5.6.27 seems to have vanished from their repos:

add this to sources.list:
deb http://snapshot.debian.org/archive/debian-security/20161024T152621Z/ jessie/updates main

then: "apt-get -o Acquire::Check-Valid-Until=false update"

then downgrade like that (add other packages if needed):

apt-get install php5=5.6.27+dfsg-0+deb8u1 php5-sqlite=5.6.27+dfsg-0+deb8u1 php5-common=5.6.27+dfsg-0+deb8u1 libapache2-mod-php5=5.6.27+dfsg-0+deb8u1 php5-cli=5.6.27+dfsg-0+deb8u1 php5=5.6.27+dfsg-0+deb8u1 php5-sqlite=5.6.27+dfsg-0+deb8u1 php5-gd=5.6.27+dfsg-0+deb8u1 php5-cli=5.6.27+dfsg-0+deb8u1 php5-imap=5.6.27+dfsg-0+deb8u1 php5-pgsql=5.6.27+dfsg-0+deb8u1 php5-mcrypt=5.6.27+dfsg-0+deb8u1 php5-intl=5.6.27+dfsg-0+deb8u1 php5-curl=5.6.27+dfsg-0+deb8u1 php5-mysql=5.6.27+dfsg-0+deb8u1 libapache2-mod-php5=5.6.27+dfsg-0+deb8u1 php-pear=5.6.27+dfsg-0+deb8u1

[2016-12-15 22:13 UTC] m dot zygmuntowicz at onet dot pl

The segfault happens whenever an "ssh2.sftp://Resource id #NNN/..."
wrapper is used.
Changing it to "ssh2.sftp://NNN/..." seems to workaround the issue.
I can confirm 5.6.27 is not affected by this bug.

[2016-12-18 16:52 UTC] edvsb at gmx dot de

Same problem with PHP 5.6.29-0+deb8u1.

Segfaults, if the ssh2.sftp-Wrapper is used. Like "if(!is_dir('ssh2.sftp://'.$this->sftp_con.$dir))"

[2018-11-24 17:44 UTC] af at ins dot de

-Status: Open +Status: Closed -PHP Version: 5.6.28 +PHP Version: 7.2.12

[2018-11-24 17:44 UTC] af at ins dot de

Tested the Bug again with 7.2.10 and 7.2.12. The bug is fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 08:00:02 2025 UTC