php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75862 PHP --disable-ipv6, curl --enable-ipv6
Submitted: 2018-01-23 17:16 UTC Modified: -
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: dpa-bugs at aegee dot org Assigned:
Status: Open Package: cURL related
PHP Version: 7.1.13 OS: Linux
Private report: No CVE-ID: None
 [2018-01-23 17:16 UTC] dpa-bugs at aegee dot org
Description:
------------
When PHP is compiled with ./configure --disable-ipv6 and CURL supports IPv6, then an implicit
  curl_setopt($connection, CURLOPT_IPRESOLVE,  CURL_IPRESOLVE_V4);

must exist in ext/curl/.  Otherwise php-fpm crashes, until adding the above line in the <?php code.

Test script:
---------------
This is what valgrind reports:

==16016== Thread 2:
==16016== Use of uninitialised value of size 8
==16016==    at 0x964380C: __libc_res_nsearch (res_query.c:395)
==16016==    by 0x1A6108E1: ???
==16016==    by 0xDE1B13B: gaih_inet (getaddrinfo.c:870)
==16016==    by 0xDE1C85C: getaddrinfo (getaddrinfo.c:2426)
==16016==    by 0x858ABB3: Curl_getaddrinfo_ex (curl_addrinfo.c:124)
==16016==    by 0x85955B0: getaddrinfo_thread (asyn-thread.c:279)
==16016==    by 0x8592FBA: curl_thread_create_thunk (curl_threads.c:57)
==16016==    by 0xA272063: start_thread (pthread_create.c:309)
==16016==    by 0xDE2F62C: clone (clone.S:111)
==16016==  Uninitialised value was created by a stack allocation
==16016==    at 0x1A610859: ???
==16016== 
==16016== Invalid read of size 4
==16016==    at 0x964380C: __libc_res_nsearch (res_query.c:395)
==16016==    by 0x1A6108E1: ???
==16016==    by 0xDE1B13B: gaih_inet (getaddrinfo.c:870)
==16016==    by 0xDE1C85C: getaddrinfo (getaddrinfo.c:2426)
==16016==    by 0x858ABB3: Curl_getaddrinfo_ex (curl_addrinfo.c:124)
==16016==    by 0x85955B0: getaddrinfo_thread (asyn-thread.c:279)
==16016==    by 0x8592FBA: curl_thread_create_thunk (curl_threads.c:57)
==16016==    by 0xA272063: start_thread (pthread_create.c:309)
==16016==    by 0xDE2F62C: clone (clone.S:111)
==16016==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==16016== 
==16016== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==16016==  Access not within mapped region at address 0x2
==16016==    at 0x964380C: __libc_res_nsearch (res_query.c:395)
==16016==    by 0x1A6108E1: ???
==16016==    by 0xDE1B13B: gaih_inet (getaddrinfo.c:870)
==16016==    by 0xDE1C85C: getaddrinfo (getaddrinfo.c:2426)
==16016==    by 0x858ABB3: Curl_getaddrinfo_ex (curl_addrinfo.c:124)
==16016==    by 0x85955B0: getaddrinfo_thread (asyn-thread.c:279)
==16016==    by 0x8592FBA: curl_thread_create_thunk (curl_threads.c:57)
==16016==    by 0xA272063: start_thread (pthread_create.c:309)
==16016==    by 0xDE2F62C: clone (clone.S:111)
==16016==  If you believe this happened as a result of a stack
==16016==  overflow in your program's main thread (unlikely but
==16016==  possible), you can try to increase the size of the
==16016==  main thread stack using the --main-stacksize= flag.
==16016==  The main thread stack size used in this run was 8388608.
==16016== 


Patches

ext_curl_interface_c-7.3.patch (last revision 2021-10-23 16:47 UTC by dpa-bugs at aegee dot org)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-24 14:20 UTC] dpa-bugs at aegee dot org
Proposed patch:

--- php-7.1.13/ext/curl/interface.c.orig        2018-01-24 14:07:06.844000000 +0000
+++ php-7.1.13/ext/curl/interface.c     2018-01-24 14:15:23.436000000 +0000
@@ -1953,6 +1953,9 @@
 #endif
        curl_easy_setopt(ch->cp, CURLOPT_DNS_CACHE_TIMEOUT, 120);
        curl_easy_setopt(ch->cp, CURLOPT_MAXREDIRS, 20); /* prevent infinite redirects */
+#if !ENABLE_IPV6 && LIBCURL_VERSION_NUM >= 0x070a08 /* 7.10.8 */
+       curl_easy_setopt(ch->cp, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+#endif
 
        cainfo = INI_STR("openssl.cafile");
        if (!(cainfo && cainfo[0] != '\0')) {
@@ -2310,6 +2313,12 @@
                case CURLOPT_MUTE:
 #endif
                        lval = zval_get_long(zvalue);
+#if !ENABLE_IPV6 && LIBCURL_VERSION_NUM >= 0x070a08 /* Available since 7.10.8 */
+                       if (option == CURLOPT_IPRESOLVE && lval == CURL_IPRESOLVE_V6) {
+                                       php_error_docref(NULL, E_WARNING, "CURL_IPRESOLVE_V6 cannot be activated as php is compiled without IPv6 support");
+                                       return 1;
+                       }
+#endif
 #if LIBCURL_VERSION_NUM >= 0x71304
                        if ((option == CURLOPT_PROTOCOLS || option == CURLOPT_REDIR_PROTOCOLS) &&
                                (PG(open_basedir) && *PG(open_basedir)) && (lval & CURLPROTO_FILE)) {
 [2021-10-23 16:47 UTC] dpa-bugs at aegee dot org
The following patch has been added/updated:

Patch Name: ext_curl_interface_c-7.3.patch
Revision:   1635007624
URL:        https://bugs.php.net/patch-display.php?bug=75862&patch=ext_curl_interface_c-7.3.patch&revision=1635007624
 [2021-11-19 19:44 UTC] dpa-bugs at aegee dot org
See also https://github.com/php/php-src/pull/7669 .
 [2021-11-23 13:59 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: 7.4 — curl/interface.c: avoid crashing, when PHP is compiled without IPv6 support, and CURL has IPv6 support
On GitHub:  https://github.com/php/php-src/pull/7669
Patch:      https://github.com/php/php-src/pull/7669.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 08:01:28 2024 UTC