php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77869 Core dump when using server controls
Submitted: 2019-04-09 11:45 UTC Modified: 2019-04-15 08:40 UTC
From: alec@php.net Assigned: mcmic (profile)
Status: Closed Package: LDAP related
PHP Version: 7.3.4 OS:
Private report: No CVE-ID: None
 [2019-04-09 11:45 UTC] alec@php.net
Description:
------------
I'm using PHP 7.3.3-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Mar  7 2019 20:31:49) ( NTS )

Provided script dumps core on ldap_parse_result() call. I'm testing vlv controls features with server controls support added in 7.3. If you see the script, my control values are BER-encoded. They were working fine with the old-patch approach using ldap_parse_virtuallist_control(). The values are generated with methods used in Kolab's LDAP library from https://git.kolab.org/diffusion/PNL/browse/master/lib/Net/


Test script:
---------------
$controls = array (
  array (
    'oid' => '1.2.840.113556.1.4.473',
    'value' => base64_decode('MCgwDQQLZGlzcGxheW5hbWUwBAQCc24wCwQJZ2l2ZW5uYW1lMAQEAmNu'),
  ),
  array (
    'oid' => '2.16.840.1.113730.3.4.9',
    'value' => base64_decode('MA4CAQACAQGgBgIBAQIBAA=='),
    'iscritical' => true,
  ),
);
$base_dn = 'ou=People,dc=example,dc=org';
$filter = '(objectClass=inetOrgPerson)';
$attrs = array (
  0 => 'displayname',
  1 => 'sn',
);

$conn = ldap_connect('ldap://192.168.56.101:389');
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, 'cn=Directory Manager', '12345');

$ldap_result = ldap_search($conn, $base_dn, $filter, $attrs,
    0, -1, -1, LDAP_DEREF_NEVER, $controls);
ldap_parse_result($conn, $ldap_result, $errcode, $matcheddn, $errmsg,
    $referrals, $serverctrls);

Expected result:
----------------
No core dump, $serverctrls set.

Actual result:
--------------
Core dump.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-10 11:26 UTC] alec@php.net
The same with PHP 7.3.4-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Apr 10 2019 06:11:41) ( NTS ).

Here's relevant fragment of bt full output:

#0  0x00007f44cb8cd95c in _php_ldap_control_to_array (request=0, array=0x7fff1dbb9210, ctrl=<optimized out>, ld=0x55d2e2b517b0)
    at ./ext/ldap/ldap.c:262
        count = 8
        context = 0x0
        value = {value = {lval = 139933671355936, dval = 6.9136419713407262e-310, counted = 0x7f44d8c5f620, str = 0x7f44d8c5f620,.
            arr = 0x7f44d8c5f620, obj = 0x7f44d8c5f620, res = 0x7f44d8c5f620, ref = 0x7f44d8c5f620, ast = 0x7f44d8c5f620, zv = 0x7f44d8c5f620,.
            ptr = 0x7f44d8c5f620, ce = 0x7f44d8c5f620, func = 0x7f44d8c5f620, ww = {w1 = 3636852256, w2 = 32580}}, u1 = {v = {type = 7 '\a',.
              type_flags = 1 '\001', u = {call_info = 0, extra = 0}}, type_info = 263}, u2 = {next = 4248345595, cache_slot = 4248345595,.
            opline_num = 4248345595, lineno = 4248345595, num_args = 4248345595, fe_pos = 4248345595, fe_iter_idx = 4248345595,.
            access_flags = 4248345595, property_guard = 4248345595, constant_flags = 4248345595, extra = 4248345595}}
        target = 1
        errcode = 0
        rc = <optimized out>
#1  _php_ldap_controls_to_array (ld=0x55d2e2b517b0, ctrls=0x55d2e2b52040, array=<optimized out>, request=0) at ./ext/ldap/ldap.c:587
        tmp1 = {value = {lval = 139933671355824, dval = 6.9136419713351927e-310, counted = 0x7f44d8c5f5b0, str = 0x7f44d8c5f5b0,.
            arr = 0x7f44d8c5f5b0, obj = 0x7f44d8c5f5b0, res = 0x7f44d8c5f5b0, ref = 0x7f44d8c5f5b0, ast = 0x7f44d8c5f5b0, zv = 0x7f44d8c5f5b0,.
            ptr = 0x7f44d8c5f5b0, ce = 0x7f44d8c5f5b0, func = 0x7f44d8c5f5b0, ww = {w1 = 3636852144, w2 = 32580}}, u1 = {v = {type = 7 '\a',.
              type_flags = 1 '\001', u = {call_info = 0, extra = 0}}, type_info = 263}, u2 = {next = 32580, cache_slot = 32580,.
            opline_num = 32580, lineno = 32580, num_args = 32580, fe_pos = 32580, fe_iter_idx = 32580, access_flags = 32580,.
            property_guard = 32580, constant_flags = 32580, extra = 32580}}
        ctrlp = 0x55d2e2b52048
        request = <optimized out>
        array = <optimized out>
        ld = <optimized out>
        tmp1 = <optimized out>
        ctrlp = <optimized out>
        __arr = <optimized out>
        ctrls = <optimized out>
        __z = <optimized out>
        tmp1 = <optimized out>
        ctrlp = <optimized out>
        __arr = <optimized out>
        __z = <optimized out>
#2  0x00007f44cb8cdece in zif_ldap_parse_result (execute_data=<optimized out>, return_value=0x7fff1dbb9390) at ./ext/ldap/ldap.c:3367
        link = 0x7f44d8c1d3a0
        result = 0x7f44d8c1d3b0
        errcode = 0x7f44d8c82110
        matcheddn = 0x7f44d8c820f8
        errmsg = 0x7f44d8c82140
        referrals = 0x7f44d8c82158
        serverctrls = 0x7f44d8c82170
        ld = 0x7f44d8c820a8
        ldap_result = <optimized out>
        lserverctrls = 0x55d2e2b52040
        lreferrals = 0x0
        refp = <optimized out>
        lmatcheddn = 0x0
        lerrmsg = 0x0
        rc = <optimized out>
        lerrcode = 0
        myargcount = 7
#3  0x000055d2e078dc09 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:645
        call = <optimized out>
        fbc = <optimized out>
        ret = <optimized out>
        retval = {value = {lval = -200238680384284672, dval = -1.5717195287081848e+295, counted = 0xfd389bfb2966d800,.
            str = 0xfd389bfb2966d800, arr = 0xfd389bfb2966d800, obj = 0xfd389bfb2966d800, res = 0xfd389bfb2966d800, ref = 0xfd389bfb2966d800,.
            ast = 0xfd389bfb2966d800, zv = 0xfd389bfb2966d800, ptr = 0xfd389bfb2966d800, ce = 0xfd389bfb2966d800, func = 0xfd389bfb2966d800,.
            ww = {w1 = 694605824, w2 = 4248345595}}, u1 = {v = {type = 16 '\020', type_flags = 48 '0', u = {call_info = 55496,.
                extra = 55496}}, type_info = 3636998160}, u2 = {next = 32580, cache_slot = 32580, opline_num = 32580, lineno = 32580,.
            num_args = 32580, fe_pos = 32580, fe_iter_idx = 32580, access_flags = 32580, property_guard = 32580, constant_flags = 32580,.
            extra = 32580}}
        call = <optimized out>
        fbc = <optimized out>
        ret = <optimized out>
        retval = <optimized out>
...
 [2019-04-11 15:48 UTC] cmb@php.net
-Assigned To: +Assigned To: mcmic
 [2019-04-11 15:48 UTC] cmb@php.net
Obviously a null dereferencing[1] issue.  Côme, could you please
have a look at this?

[1] <https://github.com/php/php-src/blob/php-7.3.4/ext/ldap/ldap.c#L262>
 [2019-04-15 08:01 UTC] mcmic@php.net
Thanks for the report, indeed it seems this context out parameter may be filled with NULL.
I will commit a fix for this.
 [2019-04-15 08:40 UTC] mcmic@php.net
-Status: Assigned +Status: Closed
 [2019-04-15 08:40 UTC] mcmic@php.net
Should be fixed in git branches PHP-7.3, PHP-7.4 and master.

Please report any other problems you may find in LDAP control handling since the code is quite new.

Also, note that you can use constants LDAP_CONTROL_SORTREQUEST and LDAP_CONTROL_VLVREQUEST in your code instead of the bare OIDs to make it easier to read. And you can pass values as arrays if you want php-ldap to ber-encode for you.

So your code should be equivalent to:

$controls = array (
  array (
    'oid' => LDAP_CONTROL_SORTREQUEST,
    'value' => array(array('attr' => 'displayname'), array('attr' => 'sn'), array('attr' => 'givenname'), array('attr' => 'cn')),
  ),
  array (
    'oid' => LDAP_CONTROL_VLVREQUEST,
    'value' => array('before' => 0, 'after' => 1, 'offset' => 1, 'count' => 0),
    'iscritical' => true,
  ),
);

See https://secure.php.net/manual/en/ldap.controls.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 13:01:26 2024 UTC