php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77869 Core dump when using server controls
Submitted: 2019-04-09 11:45 UTC Modified: 2019-04-15 08:40 UTC
From: alec@php.net Assigned: mcmic (profile)
Status: Closed Package: LDAP related
PHP Version: 7.3.4 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alec@php.net
New email:
PHP Version: OS:

 

 [2019-04-09 11:45 UTC] alec@php.net
Description:
------------
I'm using PHP 7.3.3-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Mar  7 2019 20:31:49) ( NTS )

Provided script dumps core on ldap_parse_result() call. I'm testing vlv controls features with server controls support added in 7.3. If you see the script, my control values are BER-encoded. They were working fine with the old-patch approach using ldap_parse_virtuallist_control(). The values are generated with methods used in Kolab's LDAP library from https://git.kolab.org/diffusion/PNL/browse/master/lib/Net/


Test script:
---------------
$controls = array (
  array (
    'oid' => '1.2.840.113556.1.4.473',
    'value' => base64_decode('MCgwDQQLZGlzcGxheW5hbWUwBAQCc24wCwQJZ2l2ZW5uYW1lMAQEAmNu'),
  ),
  array (
    'oid' => '2.16.840.1.113730.3.4.9',
    'value' => base64_decode('MA4CAQACAQGgBgIBAQIBAA=='),
    'iscritical' => true,
  ),
);
$base_dn = 'ou=People,dc=example,dc=org';
$filter = '(objectClass=inetOrgPerson)';
$attrs = array (
  0 => 'displayname',
  1 => 'sn',
);

$conn = ldap_connect('ldap://192.168.56.101:389');
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, 'cn=Directory Manager', '12345');

$ldap_result = ldap_search($conn, $base_dn, $filter, $attrs,
    0, -1, -1, LDAP_DEREF_NEVER, $controls);
ldap_parse_result($conn, $ldap_result, $errcode, $matcheddn, $errmsg,
    $referrals, $serverctrls);

Expected result:
----------------
No core dump, $serverctrls set.

Actual result:
--------------
Core dump.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-10 11:26 UTC] alec@php.net
The same with PHP 7.3.4-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Apr 10 2019 06:11:41) ( NTS ).

Here's relevant fragment of bt full output:

#0  0x00007f44cb8cd95c in _php_ldap_control_to_array (request=0, array=0x7fff1dbb9210, ctrl=<optimized out>, ld=0x55d2e2b517b0)
    at ./ext/ldap/ldap.c:262
        count = 8
        context = 0x0
        value = {value = {lval = 139933671355936, dval = 6.9136419713407262e-310, counted = 0x7f44d8c5f620, str = 0x7f44d8c5f620,.
            arr = 0x7f44d8c5f620, obj = 0x7f44d8c5f620, res = 0x7f44d8c5f620, ref = 0x7f44d8c5f620, ast = 0x7f44d8c5f620, zv = 0x7f44d8c5f620,.
            ptr = 0x7f44d8c5f620, ce = 0x7f44d8c5f620, func = 0x7f44d8c5f620, ww = {w1 = 3636852256, w2 = 32580}}, u1 = {v = {type = 7 '\a',.
              type_flags = 1 '\001', u = {call_info = 0, extra = 0}}, type_info = 263}, u2 = {next = 4248345595, cache_slot = 4248345595,.
            opline_num = 4248345595, lineno = 4248345595, num_args = 4248345595, fe_pos = 4248345595, fe_iter_idx = 4248345595,.
            access_flags = 4248345595, property_guard = 4248345595, constant_flags = 4248345595, extra = 4248345595}}
        target = 1
        errcode = 0
        rc = <optimized out>
#1  _php_ldap_controls_to_array (ld=0x55d2e2b517b0, ctrls=0x55d2e2b52040, array=<optimized out>, request=0) at ./ext/ldap/ldap.c:587
        tmp1 = {value = {lval = 139933671355824, dval = 6.9136419713351927e-310, counted = 0x7f44d8c5f5b0, str = 0x7f44d8c5f5b0,.
            arr = 0x7f44d8c5f5b0, obj = 0x7f44d8c5f5b0, res = 0x7f44d8c5f5b0, ref = 0x7f44d8c5f5b0, ast = 0x7f44d8c5f5b0, zv = 0x7f44d8c5f5b0,.
            ptr = 0x7f44d8c5f5b0, ce = 0x7f44d8c5f5b0, func = 0x7f44d8c5f5b0, ww = {w1 = 3636852144, w2 = 32580}}, u1 = {v = {type = 7 '\a',.
              type_flags = 1 '\001', u = {call_info = 0, extra = 0}}, type_info = 263}, u2 = {next = 32580, cache_slot = 32580,.
            opline_num = 32580, lineno = 32580, num_args = 32580, fe_pos = 32580, fe_iter_idx = 32580, access_flags = 32580,.
            property_guard = 32580, constant_flags = 32580, extra = 32580}}
        ctrlp = 0x55d2e2b52048
        request = <optimized out>
        array = <optimized out>
        ld = <optimized out>
        tmp1 = <optimized out>
        ctrlp = <optimized out>
        __arr = <optimized out>
        ctrls = <optimized out>
        __z = <optimized out>
        tmp1 = <optimized out>
        ctrlp = <optimized out>
        __arr = <optimized out>
        __z = <optimized out>
#2  0x00007f44cb8cdece in zif_ldap_parse_result (execute_data=<optimized out>, return_value=0x7fff1dbb9390) at ./ext/ldap/ldap.c:3367
        link = 0x7f44d8c1d3a0
        result = 0x7f44d8c1d3b0
        errcode = 0x7f44d8c82110
        matcheddn = 0x7f44d8c820f8
        errmsg = 0x7f44d8c82140
        referrals = 0x7f44d8c82158
        serverctrls = 0x7f44d8c82170
        ld = 0x7f44d8c820a8
        ldap_result = <optimized out>
        lserverctrls = 0x55d2e2b52040
        lreferrals = 0x0
        refp = <optimized out>
        lmatcheddn = 0x0
        lerrmsg = 0x0
        rc = <optimized out>
        lerrcode = 0
        myargcount = 7
#3  0x000055d2e078dc09 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:645
        call = <optimized out>
        fbc = <optimized out>
        ret = <optimized out>
        retval = {value = {lval = -200238680384284672, dval = -1.5717195287081848e+295, counted = 0xfd389bfb2966d800,.
            str = 0xfd389bfb2966d800, arr = 0xfd389bfb2966d800, obj = 0xfd389bfb2966d800, res = 0xfd389bfb2966d800, ref = 0xfd389bfb2966d800,.
            ast = 0xfd389bfb2966d800, zv = 0xfd389bfb2966d800, ptr = 0xfd389bfb2966d800, ce = 0xfd389bfb2966d800, func = 0xfd389bfb2966d800,.
            ww = {w1 = 694605824, w2 = 4248345595}}, u1 = {v = {type = 16 '\020', type_flags = 48 '0', u = {call_info = 55496,.
                extra = 55496}}, type_info = 3636998160}, u2 = {next = 32580, cache_slot = 32580, opline_num = 32580, lineno = 32580,.
            num_args = 32580, fe_pos = 32580, fe_iter_idx = 32580, access_flags = 32580, property_guard = 32580, constant_flags = 32580,.
            extra = 32580}}
        call = <optimized out>
        fbc = <optimized out>
        ret = <optimized out>
        retval = <optimized out>
...
 [2019-04-11 15:48 UTC] cmb@php.net
-Assigned To: +Assigned To: mcmic
 [2019-04-11 15:48 UTC] cmb@php.net
Obviously a null dereferencing[1] issue.  Côme, could you please
have a look at this?

[1] <https://github.com/php/php-src/blob/php-7.3.4/ext/ldap/ldap.c#L262>
 [2019-04-15 08:01 UTC] mcmic@php.net
Thanks for the report, indeed it seems this context out parameter may be filled with NULL.
I will commit a fix for this.
 [2019-04-15 08:40 UTC] mcmic@php.net
-Status: Assigned +Status: Closed
 [2019-04-15 08:40 UTC] mcmic@php.net
Should be fixed in git branches PHP-7.3, PHP-7.4 and master.

Please report any other problems you may find in LDAP control handling since the code is quite new.

Also, note that you can use constants LDAP_CONTROL_SORTREQUEST and LDAP_CONTROL_VLVREQUEST in your code instead of the bare OIDs to make it easier to read. And you can pass values as arrays if you want php-ldap to ber-encode for you.

So your code should be equivalent to:

$controls = array (
  array (
    'oid' => LDAP_CONTROL_SORTREQUEST,
    'value' => array(array('attr' => 'displayname'), array('attr' => 'sn'), array('attr' => 'givenname'), array('attr' => 'cn')),
  ),
  array (
    'oid' => LDAP_CONTROL_VLVREQUEST,
    'value' => array('before' => 0, 'after' => 1, 'offset' => 1, 'count' => 0),
    'iscritical' => true,
  ),
);

See https://secure.php.net/manual/en/ldap.controls.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 15:01:30 2024 UTC