exceed post_max_size and php_default_post

exceed post_max_size and php_default_post_reader seg faults apache

Bug #40921	exceed post_max_size and php_default_post_reader seg faults apache
Submitted:	2007-03-26 14:09 UTC	Modified:	2007-04-01 19:09 UTC
From:	trickie at gmail dot com	Assigned:	iliaa (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.2.1	OS:	Gentoo Linux
Private report:	No	CVE-ID:	None

[2007-03-26 14:09 UTC] trickie at gmail dot com

Description:
------------
If you POST a request that triggers the default post reader (php_default_post_reader), and that request exceeds post_max_size then apache will segmentation fault.

I first found this using the SOAP extension.

Reproduce code:
---------------
I have not been able to come up with a simple reproduce code, i can submit some of the more complex soap code i am using if necessary

Expected result:
----------------
Normal processing of a POST request

Actual result:
--------------
Patch available: http://trickie.org/code/max_post_fix.patch

GDB backtrace:

Starting program: /usr/sbin/apache2 -X -D DEFAULT_VHOST -D PHP5 -f /etc/apache2/httpd.conf -k start
(no debugging symbols found)
Failed to read a valid object file image from memory.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1213380944 (LWP 4640)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1213380944 (LWP 4640)]
0xb7747565 in _estrndup (s=0x0, length=743,
    __zend_filename=0xb7a05214 "/var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c", __zend_lineno=49,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c:2351
2351    /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c: No such file or directory.
        in /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c
(gdb) bt
#0  0xb7747565 in _estrndup (s=0x0, length=743,
    __zend_filename=0xb7a05214 "/var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c", __zend_lineno=49,
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/Zend/zend_alloc.c:2351
#1  0xb771d24a in php_default_post_reader () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/php_content_types.c:49
#2  0xb7717e32 in sapi_read_post_data () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/SAPI.c:190
#3  0xb77185e8 in sapi_activate () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/SAPI.c:372
#4  0xb77108d6 in php_request_startup () at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/main/main.c:1105
#5  0xb77dc3c8 in php_apache_request_ctor (r=0x8254238, ctx=0x8255700)
    at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/sapi/apache2handler/sapi_apache2.c:458
#6  0xb77dc989 in php_handler (r=0x8254238) at /var/tmp/portage/dev-lang/php-5.2.1-r300/work/php5.2-200703260630/sapi/apache2handler/sapi_apache2.c:574
#7  0x0806a4f8 in ap_run_handler ()
#8  0x0806d5c1 in ap_invoke_handler ()
#9  0x0806735e in ap_process_request ()
#10 0x0806116b in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-01 19:09 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.