From: cardoe at gentoo dot org Operating system: Linux PHP version: 5.2.1 PHP Bug Type: LDAP related Bug description: segfault in ldap_get_entries() & LDAP functions implemented poorly
Description: ------------ Referencing Bug #38819 Essentially I looked through the above mentioned bug, the bugs opened with OpenLDAP developers, and then reviewed ext/ldap/ldap.c and it appears the API calls made by PHP are not necessarily the safest ways to write the PHP wrapper functions. Based on [EMAIL PROTECTED]'s comment that the LDAP module is unmaintained I went ahead and made some changes. If you read OpenLDAP's API and comments by OpenLDAP Core Developers, available at: http://www.openldap.org/its/index.cgi/Build?id=4690;selectid=4690 http://www.openldap.org/software/man.cgi?query=ldap_get_values&sektion=3&apropos=0&manpath=OpenLDAP+2.1-Release (Notice I went with OpenLDAP 2.1 docs to quell PHP's urge for backwards compatibility) The functions char **ldap_get_values(ld, entry, attr) and struct berval **ldap_get_values_len(ld, entry, attr) are essentially inter-changeable. The big difference being that the berval struct provides you with a char * and the size_t of the data. Rather then just a char * that you then have to strlen() which will result in problems if the returned data is not NULL terminated data. PHP's internal functions make the mistake of assuming all data will be string data (NULL terminated char *) data, which is the cause of the crash in bug #38819. The patch attached removes all of those assumptions and uses ldap_get_values_len() and uses the length provided back by the structure to feed add_index_stringl() instead of using add_index_string() which will call it's own strlen() on the provided data. This patch also removes ldap_get_values() as a PHP function and makes it an alias of ldap_get_values_len() since there's no difference and the same data can be returned, it's just a safer version. The attached patch fixes the test case provided in bug #38819. Referencing for my own purposes: http://bugs.gentoo.org/show_bug.cgi?id=133467 Reproduce code: --------------- For reproducing code refer to bug #38819 Actual result: -------------- For a backtrace see bug #38819. -- Edit bug report at http://bugs.php.net/?id=40671&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40671&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40671&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40671&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40671&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40671&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40671&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40671&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40671&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40671&r=support Expected behavior: http://bugs.php.net/fix.php?id=40671&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40671&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40671&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40671&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40671&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40671&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40671&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40671&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40671&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40671&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40671&r=mysqlcfg