PHP :: Bug #73539 :: memcache session handler with two backend servers Fatal Error (out of memory)

Bug #73539

memcache session handler with two backend servers Fatal Error (out of memory)

Submitted:

2016-11-16 09:53 UTC

Modified:

2021-03-25 16:39 UTC

Votes:	92
Avg. Score:	4.9 ± 0.3
Reproduced:	90 of 90 (100.0%)
Same Version:	85 (94.4%)
Same OS:	14 (15.6%)

From:

php at bof dot de

Assigned:

cmb (profile)

Status:

Closed

Package:

memcache (PECL)

PHP Version:

5.6.28

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2016-11-16 09:53 UTC] php at bof dot de

Description:
------------
Re-Report with better-suited Package (memcache), original bug report: 

https://bugs.php.net/bug.php?id=73497

Using memcache 3.0.8 with 5.6.28 fails when more than one backend server is configured.

There was a change from 5.6.27 to 5.6.28 in ext/standard/url.c php_url_parse_ex which resulted in that regression. That function does not, in various places, work properly with the passed-in length parameter. The recent change, given the use in memcache_session.c, then results in a fatal memory error.

For test script etc. please see that other bug report.

The appended patch fixes the issue for me, by making, in memcache_session.c, an estrndup of the single server substring before passing it to php_url_parse_ex().

Private communication with nikic yesterday indicated that right now php_url_parse_ex is considered to fragile to be made length-safe, so please consider applying that patch to the memcache extension, and respinning a memcache-3.0.9 release.

Patches

memcache_session_parse_fix.patch (last revision 2016-11-16 09:54 UTC by php at bof dot de)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-12 16:44 UTC] carmstrong at trilliumit dot com

This issue also affects php 7.0.13. With php 7 on a 64 bit system memcached tries to allocate 2^64 bytes of memory and fails.

[2017-01-13 18:17 UTC] mark-jones-xdf at zedwood dot com

This issue appears to also affect
 https://pecl.php.net/package/redis
in redis_session.c where it calls 
 url = php_url_parse_ex(save_path+i, j-i);

[2017-03-10 07:47 UTC] daniel dot k at siteground dot com

Has this issue with Redis and Memcached been resolved. I don't see anything in the Redis PECL changelog:

https://pecl.php.net/package-changelog.php?package=redis&release=3.1.1

[2021-03-25 16:39 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2021-03-25 16:39 UTC] cmb@php.net

The official bug tracker for PECL/memcache is now at
<https://github.com/websupport-sk/pecl-memcache/issues>.

So, if this is still an issue with either of the current memcache
versions (4 or 8), please file an issue there.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Mar 13 18:01:30 2025 UTC