Edit report at https://bugs.php.net/bug.php?id=60629&edit=1
ID: 60629
Comment by: phpbugs at oops dot mooo dot com
Reported by: phpbugs at oops dot mooo dot com
Summary: memory corruption when web server closed the fcgi
fd(?)
Status: Open
Type: Bug
Package: FPM related
Operating System: Debian Squeeze
PHP Version: 5.3.9RC4
Block user comment: N
Private report: N
New Comment:
I think it might've been introduced in this commit (~line 270).
http://svn.php.net/viewvc/php/php-src/tags/php_5_3_9RC4/sapi/fpm/fpm/fpm_main.c?r1=317894&r2=317897
It looks like write() might have the same problem, since it returns a ssize_t
that's casted to size_t.
Fix might be to use ssize_t instead?
Previous Comments:
------------------------------------------------------------------------
[2011-12-30 23:12:00] phpbugs at oops dot mooo dot com
Description:
------------
I tried php5.3.9RC4 today and got a few core dumps.
I think b)fcgi_flush() returns false, making fcgi_write return -1. Then
sapi_cgibin_single_write will make it positive because ret is unsigned in c).
As a result, the comparison in d) will fail.
In debugger it looks like PHP is looping over open_packet() in an infinite
loop. Each time out_pos gets increased a little. Finally, after overwriting the
whole stack, it will SIGSEGV.
===
https://svn.php.net/repository/php/php-src/tags/php_5_3_9RC4/sapi/fpm/fpm/fastcgi.c
===
int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int
len)
{
int limit, rest;
if (len <= 0) {
return 0;
}
if (req->out_hdr && req->out_hdr->type != type) {
close_packet(req);
}
/* Optimized version */
limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
if (!req->out_hdr) {
limit -= sizeof(fcgi_header);
if (limit < 0) limit = 0;
}
if (len < limit) {
if (!req->out_hdr) {
open_packet(req, type);
}
memcpy(req->out_pos, str, len);
req->out_pos += len;
} else if (len - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
if (!req->out_hdr) {
a) open_packet(req, type);
}
if (limit > 0) {
memcpy(req->out_pos, str, limit);
req->out_pos += limit;
}
if (!fcgi_flush(req, 0)) {
b) return -1;
}
===
https://svn.php.net/repository/php/php-src/tags/php_5_3_9RC4/sapi/fpm/fpm/fpm_main.c
===
static inline size_t sapi_cgibin_single_write(const char *str, uint str_length
TSRMLS_DC)
{
c) size_t ret;
/* sapi has started which means everyhting must be send through fcgi */
if (fpm_is_running) {
fcgi_request *request = (fcgi_request*) SG(server_context);
ret = fcgi_write(request, FCGI_STDOUT, str, str_length);
d) if (ret <= 0) {
return 0;
}
return ret;
}
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60629&edit=1
