From: Operating system: Linux PHP version: 5.3.3 Package: MSSQL related Bug Type: Bug Bug description:Segfault when optional parameters are not passed in to mssql_connect
Description: ------------ This was originally reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/611316 Calling mssql_connect() without all of its string arguments will cause php to segfault. This happens on Ubuntu 10.10 beta, and Ubuntu 10.04. I also compiled php 5.3.3 vanilla with ./configure --with-mssql=/usr, and the script below caused the segfault. The error is in this code around line 575 of ext/mssql/php_mssql.c: char *host = NULL, *user = NULL, *passwd = NULL; int host_len, user_len, passwd_len; zend_bool new_link = 0; char *hashed_details; int hashed_details_length; mssql_link mssql, *mssql_ptr; char buffer[40]; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sssb", &host, &host_len, &user, &user_len, &passwd, &passwd_len, &new_link) == FAILURE) { return; } /* Limit strings to 255 chars to prevent overflow issues in underlying libraries */ if(host_len>255) { host[255] = '\0'; } if(user_len>255) { user[255] = '\0'; } if(passwd_len>255) { passwd[255] = '\0'; } If the optional args are not passed in, the len and host parameters will be unchanged, and so a null pointer dereference may occur (depending on the arbitrary value of the _len variables). Test script: --------------- php -r 'mssql_connect();' Expected result: ---------------- I would expect the program to exit without crashing. Actual result: -------------- ubu...@domu-12-31-39-03-0d-c3:~/src/php5-5.3.3$ gdb php GNU gdb (GDB) 7.2-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/usr/bin/php5...done. done. (gdb) run -r 'mssql_connect();' Starting program: /usr/bin/php -r 'mssql_connect();' [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0xb75ac357 in php_mssql_do_connect (ht=0, return_value=0x88dadb4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, persistent=0) at /home/ubuntu/src/php5-5.3.3/ext/mssql/php_mssql.c:587 587 host[255] = '\0'; (gdb) bt #0 0xb75ac357 in php_mssql_do_connect (ht=0, return_value=0x88dadb4, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0, persistent=0) at /home/ubuntu/src/php5-5.3.3/ext/mssql/php_mssql.c:587 #1 0x083600fa in zend_do_fcall_common_helper_SPEC (execute_data=0x0) at /home/ubuntu/src/php5-5.3.3/Zend/zend_vm_execute.h:316 #2 0x08336bbe in execute (op_array=0x88db2c0) at /home/ubuntu/src/php5- 5.3.3/Zend/zend_vm_execute.h:107 #3 0x08300fc3 in zend_eval_stringl (str=0xbffff474 "mssql_connect();", str_len=16, retval_ptr=0x0, string_name=0x8749440 "Command line code") at /home/ubuntu/src/php5-5.3.3/Zend/zend_execute_API.c:1192 #4 0x08301162 in zend_eval_stringl_ex (str=0xbffff474 "mssql_connect();", str_len=16, retval_ptr=0x0, string_name=0x8749440 "Command line code", handle_exceptions=1) at /home/ubuntu/src/php5- 5.3.3/Zend/zend_execute_API.c:1234 #5 0x083011e3 in zend_eval_string_ex (str=0xbffff474 "mssql_connect();", retval_ptr=0x0, string_name=0x8749440 "Command line code", handle_exceptions=1) at /home/ubuntu/src/php5- 5.3.3/Zend/zend_execute_API.c:1245 #6 0x083a3689 in main (argc=3, argv=0xbffff324) at /home/ubuntu/src/php5- 5.3.3/sapi/cli/php_cli.c:1235 (gdb) -- Edit bug report at http://bugs.php.net/bug.php?id=52843&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=52843&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=52843&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=52843&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=52843&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=52843&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=52843&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=52843&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=52843&r=needscript Try newer version: http://bugs.php.net/fix.php?id=52843&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=52843&r=support Expected behavior: http://bugs.php.net/fix.php?id=52843&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=52843&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=52843&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=52843&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=52843&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=52843&r=dst IIS Stability: http://bugs.php.net/fix.php?id=52843&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=52843&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=52843&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=52843&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=52843&r=mysqlcfg