[PHP-BUG] Bug #65936 [NEW]: dangling context pointer causes crash

[email protected] Mon, 21 Oct 2013 07:14:53 -0700

From:             [email protected]
Operating system: *
PHP version:      5.5Git-2013-10-21 (Git)
Package:          Reproducible crash
Bug Type:         Bug
Bug description:dangling context pointer causes crash


Description:
------------
Pointer to stream context is not cleared in persistent stream struct,
which results in a crash when re-using that stream.

Test script:
---------------
<?php

function connect($host, $port, $timeout = 1) {
        $conn_str = "tcp://{$host}:{$port}";
            $opts = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT
| STREAM_CLIENT_PERSISTENT;
            $sock = stream_socket_client($conn_str, $errno, $errstr,
$timeout, $opts);
                return $sock;
}

$sock = connect("google.com", 80);

$req = "GET / HTTP/1.0\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n";

$len = fwrite($sock, $req);

$data = stream_get_contents($sock);

echo $data;

Expected result:
----------------
No crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000764140 in php_stream_context_get_option
(context=0x7fd70dd833f8, wrappername=0xbe6fae "socket",
optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at
/local/git/php-src/main/streams/streams.c:2219
2219            if (FAILURE ==
zend_hash_find(Z_ARRVAL_P(context->options), (char*)wrappername,
strlen(wrappername)+1, (void**)&wrapperhash)) {
(gdb) bt
#0  0x0000000000764140 in php_stream_context_get_option
(context=0x7fd70dd833f8, wrappername=0xbe6fae "socket",
optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at
/local/git/php-src/main/streams/streams.c:2219
#1  0x0000000000773725 in php_tcp_sockop_connect (stream=0x10e2840,
sock=0x10e08b0, xparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:656
#2  0x0000000000773bc4 in php_tcp_sockop_set_option (stream=0x10e2840,
option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:757
#3  0x0000000000761a76 in _php_stream_set_option (stream=0x10e2840,
option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/streams.c:1353
#4  0x000000000077196e in php_stream_xport_connect (stream=0x10e2840,
name=0x7fd70dd7fc9e "google.com:80", namelen=13, asynchronous=1, 
    timeout=0x7fff2c7b19e0, error_text=0x7fff2c7b18e0,
error_code=0x7fff2c7b19d4) at
/local/git/php-src/main/streams/transports.c:243
#5  0x00000000007713fb in _php_stream_xport_create (name=0x7fd70dd7fc9e
"google.com:80", namelen=13, options=8, flags=18, 
    persistent_id=0x7fd70dd82da8
"stream_socket_client__tcp://google.com:80", timeout=0x7fff2c7b19e0,
context=0x7fd70dd833f8, error_string=0x7fff2c7b19c0, 
    error_code=0x7fff2c7b19d4, __php_stream_call_depth=0,
__zend_filename=0xbdf140
"/local/git/php-src/ext/standard/streamsfuncs.c", __zend_lineno=134, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at
/local/git/php-src/main/streams/transports.c:143
#6  0x0000000000726d3b in zif_stream_socket_client (ht=5,
return_value=0x7fd70dd81690, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1)
    at /local/git/php-src/ext/standard/streamsfuncs.c:131
#7  0x0000000000816f6e in zend_do_fcall_common_helper_SPEC
(execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:550
#8  0x000000000081b868 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:2329
#9  0x000000000081665f in execute_ex (execute_data=0x7fd70dd4f078) at
/local/git/php-src/Zend/zend_vm_execute.h:363
#10 0x00000000008166e7 in zend_execute (op_array=0x7fd70dd7fd78) at
/local/git/php-src/Zend/zend_vm_execute.h:388
#11 0x00000000007d8554 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /local/git/php-src/Zend/zend.c:1320
#12 0x00000000007452fe in php_execute_script
(primary_file=0x7fff2c7b61a0) at /local/git/php-src/main/main.c:2489
#13 0x0000000000892bcf in main (argc=1, argv=0x7fff2c7b63c8) at
/local/git/php-src/sapi/fpm/fpm/fpm_main.c:1933


-- 
Edit bug report at https://bugs.php.net/bug.php?id=65936&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=65936&r=trysnapshot54
Try a snapshot (PHP 5.5):   
https://bugs.php.net/fix.php?id=65936&r=trysnapshot55
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=65936&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=65936&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=65936&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=65936&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=65936&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=65936&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=65936&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=65936&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=65936&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=65936&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=65936&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65936&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=65936&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=65936&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=65936&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65936&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=65936&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=65936&r=mysqlcfg

[PHP-BUG] Bug #65936 [NEW]: dangling context pointer causes crash

Reply via email to