Home Original page

PHP :: Bug #25525 :: ldap_explode_dn crashes

Bug #25525 ldap_explode_dn crashes
Submitted: 2003-09-13 11:28 UTC Modified: 2003-09-14 03:08 UTC
From: mikael dot suvi at trigger dot ee Assigned:
Status: Closed Package: LDAP related
PHP Version: 4.3.3 OS: Suse 8.2
Private report: No CVE-ID: None

 [2003-09-13 11:28 UTC] mikael dot suvi at trigger dot ee

Description:
------------
ldap_explode_dn crashes apache if not correct parameter is given to function. This fix to applied ldap.c did not crash anymore:

*** ext/ldap/ldap.c.old 2003-09-13 17:52:40.000000000 +0300
--- ext/ldap/ldap.c     2003-09-13 17:33:09.000000000 +0300
***************
*** 1210,1215 ****
--- 1210,1219 ----

        ldap_value = ldap_explode_dn(Z_STRVAL_PP(dn), Z_LVAL_PP(with_attrib));

+       if (ldap_value == NULL) {
+               RETURN_FALSE;
+       }
+
        i=0;
        while(ldap_value[i] != NULL) i++;
        count = i;


Reproduce code:
---------------
<?
$ret = ldap_explode_dn("6", 0);

if ($ret === false) {
    print "no good";
}
?>

Expected result:
----------------
text "no good" to be displayed

Actual result:
--------------
apache crashes with

[Sat Sep 13 17:12:37 2003] [notice] child pid 28620 exit signal Segmentation fault (11)

#0 0x405072ee in zif_ldap_explode_dn (ht=2, return_value=0x840fc2c, this_ptr=0x0, return_value_used=1) at /root/php-4.3.3/ext/ldap/ldap.c:1214 
#1 0x40655fae in execute (op_array=0x8393450) at /root/php-4.3.3/Zend/zend_execute.c:1616 
#2 0x406561e1 in execute (op_array=0x81e9bb8) at /root/php-4.3.3/Zend/zend_execute.c:1660 
#3 0x406561e1 in execute (op_array=0x83aaef4) at /root/php-4.3.3/Zend/zend_execute.c:1660 
#4 0x406581a8 in execute (op_array=0x8173bd4) at /root/php-4.3.3/Zend/zend_execute.c:2181 
#5 0x40644990 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-4.3.3/Zend/zend.c:885 
#6 0x4060ea77 in php_execute_script (primary_file=0xbfffecb0) at /root/php-4.3.3/main/main.c:1723 
#7 0x4065b0b0 in apache_php_module_main (r=0x8090f00, display_source_mode=0) at /root/php-4.3.3/sapi/apache/sapi_apache.c:54 
#8 0x4065c065 in send_php (r=0x8090f00, display_source_mode=0, filename=0x8092d90 "/home/www/arcoportal/phpbb2/profile.php") at /root/php-4.3.3/sapi/apache/mod_php4.c:620 
#9 0x4065c0de in send_parsed_php (r=0x8090f00) at /root/php-4.3.3/sapi/apache/mod_php4.c:635 
#10 0x08055137 in ap_invoke_handler (r=0x8090f00) at http_config.c:518 
#11 0x08069eff in process_request_internal (r=0x8090f00) at http_request.c:1308 
#12 0x0806a161 in ap_process_request (r=0x8090f00) at http_request.c:1324 
#13 0x08061bbf in child_main (child_num_arg=0) at http_main.c:4689 
#14 0x08061da3 in make_child (s=0x0, slot=2, now=0) at http_main.c:4868 
#15 0x08062166 in perform_idle_server_maintenance () at http_main.c:5050 
#16 0x0806286d in standalone_main (argc=5, argv=0xbffff1f4) at http_main.c:5287 
#17 0x08063076 in main (argc=5, argv=0xbffff1f4) at http_main.c:5566 
#18 0x401af8ae in __libc_start_main () from /lib/libc.so.6

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2003-09-13 13:30 UTC] pollita@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

And thanks for the outstanding bugreport!