PHP :: Bug #73539 :: memcache session handler with two backend servers Fatal Error (out of memory)

Bug #73539

memcache session handler with two backend servers Fatal Error (out of memory)

Submitted:

2016-11-16 09:53 UTC

Modified:

2021-03-25 16:39 UTC

Votes:	92
Avg. Score:	4.9 ± 0.3
Reproduced:	90 of 90 (100.0%)
Same Version:	85 (94.4%)
Same OS:	14 (15.6%)

From:

php at bof dot de

Assigned:

cmb (profile)

Status:

Closed

Package:

memcache (PECL)

PHP Version:

5.6.28

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at bof dot de
New email:
PHP Version:		OS:

New Comment:

[2016-11-16 09:53 UTC] php at bof dot de

Description:
------------
Re-Report with better-suited Package (memcache), original bug report: 

https://bugs.php.net/bug.php?id=73497

Using memcache 3.0.8 with 5.6.28 fails when more than one backend server is configured.

There was a change from 5.6.27 to 5.6.28 in ext/standard/url.c php_url_parse_ex which resulted in that regression. That function does not, in various places, work properly with the passed-in length parameter. The recent change, given the use in memcache_session.c, then results in a fatal memory error.

For test script etc. please see that other bug report.

The appended patch fixes the issue for me, by making, in memcache_session.c, an estrndup of the single server substring before passing it to php_url_parse_ex().

Private communication with nikic yesterday indicated that right now php_url_parse_ex is considered to fragile to be made length-safe, so please consider applying that patch to the memcache extension, and respinning a memcache-3.0.9 release.

Patches

memcache_session_parse_fix.patch (last revision 2016-11-16 09:54 UTC by php at bof dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-12 16:44 UTC] carmstrong at trilliumit dot com

This issue also affects php 7.0.13. With php 7 on a 64 bit system memcached tries to allocate 2^64 bytes of memory and fails.

[2017-01-13 18:17 UTC] mark-jones-xdf at zedwood dot com

This issue appears to also affect
 https://pecl.php.net/package/redis
in redis_session.c where it calls 
 url = php_url_parse_ex(save_path+i, j-i);

[2017-03-10 07:47 UTC] daniel dot k at siteground dot com

Has this issue with Redis and Memcached been resolved. I don't see anything in the Redis PECL changelog:

https://pecl.php.net/package-changelog.php?package=redis&release=3.1.1

[2021-03-25 16:39 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2021-03-25 16:39 UTC] cmb@php.net

The official bug tracker for PECL/memcache is now at
<https://github.com/websupport-sk/pecl-memcache/issues>.

So, if this is still an issue with either of the current memcache
versions (4 or 8), please file an issue there.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 21:01:31 2024 UTC