php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73539 memcache session handler with two backend servers Fatal Error (out of memory)
Submitted: 2016-11-16 09:53 UTC Modified: -
Votes:92
Avg. Score:4.9 ± 0.3
Reproduced:90 of 90 (100.0%)
Same Version:85 (94.4%)
Same OS:14 (15.6%)
From: php at bof dot de Assigned:
Status: Open Package: memcache (PECL)
PHP Version: 5.6.28 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-11-16 09:53 UTC] php at bof dot de
Description:
------------
Re-Report with better-suited Package (memcache), original bug report: 

https://bugs.php.net/bug.php?id=73497

Using memcache 3.0.8 with 5.6.28 fails when more than one backend server is configured.

There was a change from 5.6.27 to 5.6.28 in ext/standard/url.c php_url_parse_ex which resulted in that regression. That function does not, in various places, work properly with the passed-in length parameter. The recent change, given the use in memcache_session.c, then results in a fatal memory error.

For test script etc. please see that other bug report.

The appended patch fixes the issue for me, by making, in memcache_session.c, an estrndup of the single server substring before passing it to php_url_parse_ex().

Private communication with nikic yesterday indicated that right now php_url_parse_ex is considered to fragile to be made length-safe, so please consider applying that patch to the memcache extension, and respinning a memcache-3.0.9 release.



Patches

memcache_session_parse_fix.patch (last revision 2016-11-16 09:54 UTC by php at bof dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-12 16:44 UTC] carmstrong at trilliumit dot com
This issue also affects php 7.0.13. With php 7 on a 64 bit system memcached tries to allocate 2^64 bytes of memory and fails.
 [2017-01-13 18:17 UTC] mark-jones-xdf at zedwood dot com
This issue appears to also affect
 https://pecl.php.net/package/redis
in redis_session.c where it calls 
 url = php_url_parse_ex(save_path+i, j-i);
 [2017-03-10 07:47 UTC] daniel dot k at siteground dot com
Has this issue with Redis and Memcached been resolved. I don't see anything in the Redis PECL changelog:

https://pecl.php.net/package-changelog.php?package=redis&release=3.1.1
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 16:01:27 2019 UTC