Bug #65936 [Asn->Csd]: dangling context pointer causes crash

tony2001 Mon, 21 Oct 2013 07:14:53 -0700

Edit report at https://bugs.php.net/bug.php?id=65936&edit=1


 ID:                 65936
 Updated by:         tony2...@php.net
 Reported by:        tony2...@php.net
 Summary:            dangling context pointer causes crash
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   *
 PHP Version:        5.5Git-2013-10-21 (Git)
 Assigned To:        tony2001
 Block user comment: N
 Private report:     N

 New Comment:

Automatic comment on behalf of tony2001
Revision: 
http://git.php.net/?p=php-src.git;a=commit;h=b636c03426193ecf0b7e166126a14b70ce8185e9
Log: fix bug #65936 (dangling context pointer causes crash)


Previous Comments:
------------------------------------------------------------------------
[2013-10-21 10:52:54] tony2...@php.net

Description:
------------
Pointer to stream context is not cleared in persistent stream struct, which 
results in a crash when re-using that stream.

Test script:
---------------
<?php

function connect($host, $port, $timeout = 1) {
        $conn_str = "tcp://{$host}:{$port}";
            $opts = STREAM_CLIENT_CONNECT | STREAM_CLIENT_ASYNC_CONNECT | 
STREAM_CLIENT_PERSISTENT;
            $sock = stream_socket_client($conn_str, $errno, $errstr, $timeout, 
$opts);
                return $sock;
}

$sock = connect("google.com", 80);

$req = "GET / HTTP/1.0\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n";

$len = fwrite($sock, $req);

$data = stream_get_contents($sock);

echo $data;

Expected result:
----------------
No crash.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000764140 in php_stream_context_get_option (context=0x7fd70dd833f8, 
wrappername=0xbe6fae "socket", optionname=0xbe6fa7 "bindto", 
    optionvalue=0x7fff2c7b1680) at 
/local/git/php-src/main/streams/streams.c:2219
2219            if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options), 
(char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) {
(gdb) bt
#0  0x0000000000764140 in php_stream_context_get_option 
(context=0x7fd70dd833f8, wrappername=0xbe6fae "socket", optionname=0xbe6fa7 
"bindto", 
    optionvalue=0x7fff2c7b1680) at 
/local/git/php-src/main/streams/streams.c:2219
#1  0x0000000000773725 in php_tcp_sockop_connect (stream=0x10e2840, 
sock=0x10e08b0, xparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:656
#2  0x0000000000773bc4 in php_tcp_sockop_set_option (stream=0x10e2840, 
option=7, value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/xp_socket.c:757
#3  0x0000000000761a76 in _php_stream_set_option (stream=0x10e2840, option=7, 
value=0, ptrparam=0x7fff2c7b1780)
    at /local/git/php-src/main/streams/streams.c:1353
#4  0x000000000077196e in php_stream_xport_connect (stream=0x10e2840, 
name=0x7fd70dd7fc9e "google.com:80", namelen=13, asynchronous=1, 
    timeout=0x7fff2c7b19e0, error_text=0x7fff2c7b18e0, 
error_code=0x7fff2c7b19d4) at /local/git/php-src/main/streams/transports.c:243
#5  0x00000000007713fb in _php_stream_xport_create (name=0x7fd70dd7fc9e 
"google.com:80", namelen=13, options=8, flags=18, 
    persistent_id=0x7fd70dd82da8 "stream_socket_client__tcp://google.com:80", 
timeout=0x7fff2c7b19e0, context=0x7fd70dd833f8, error_string=0x7fff2c7b19c0, 
    error_code=0x7fff2c7b19d4, __php_stream_call_depth=0, 
__zend_filename=0xbdf140 "/local/git/php-src/ext/standard/streamsfuncs.c", 
__zend_lineno=134, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at 
/local/git/php-src/main/streams/transports.c:143
#6  0x0000000000726d3b in zif_stream_socket_client (ht=5, 
return_value=0x7fd70dd81690, return_value_ptr=0x0, this_ptr=0x0, 
return_value_used=1)
    at /local/git/php-src/ext/standard/streamsfuncs.c:131
#7  0x0000000000816f6e in zend_do_fcall_common_helper_SPEC 
(execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:550
#8  0x000000000081b868 in ZEND_DO_FCALL_SPEC_CONST_HANDLER 
(execute_data=0x7fd70dd4f078) at /local/git/php-src/Zend/zend_vm_execute.h:2329
#9  0x000000000081665f in execute_ex (execute_data=0x7fd70dd4f078) at 
/local/git/php-src/Zend/zend_vm_execute.h:363
#10 0x00000000008166e7 in zend_execute (op_array=0x7fd70dd7fd78) at 
/local/git/php-src/Zend/zend_vm_execute.h:388
#11 0x00000000007d8554 in zend_execute_scripts (type=8, retval=0x0, 
file_count=3) at /local/git/php-src/Zend/zend.c:1320
#12 0x00000000007452fe in php_execute_script (primary_file=0x7fff2c7b61a0) at 
/local/git/php-src/main/main.c:2489
#13 0x0000000000892bcf in main (argc=1, argv=0x7fff2c7b63c8) at 
/local/git/php-src/sapi/fpm/fpm/fpm_main.c:1933



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65936&edit=1

Bug #65936 [Asn->Csd]: dangling context pointer causes crash

Reply via email to