Home Original page

Invalid path SNI_server_certs causes segfault

Bug #73072 Invalid path SNI_server_certs causes segfault
Submitted: 2016-09-13 16:16 UTC Modified: 2016-09-13 16:17 UTC
From: bukka@php.net Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.25 OS: All
Private report: No CVE-ID: None

 [2016-09-13 16:16 UTC] bukka@php.net

Description:
------------
If the SNI_server_certs stream ssl option contains an invalid path, it causes segfault after the client connects. It is because the initializing loop is jumped off when error happens and keeps the sni_certs unitialized which causes later segfault when they are freed.

Test script:
---------------
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
    'local_cert' => __DIR__ . '/domain1.pem',
    'SNI_server_certs' => [
        "domain1.com" => __DIR__ . "/sni_server_domain1.pem",
        "domain2.com" => __DIR__ . "/unknown",
    ]
]]);

$server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);

for ($i=0; $i < 3; $i++) {
   @stream_socket_accept($server, 3);
}


Expected result:
----------------
Warning: failed setting local cert chain file `%s'; file not found

Actual result:
--------------
segfault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2016-09-13 16:17 UTC] bukka@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: bukka

 [2016-09-13 16:17 UTC] bukka@php.net

The script above causes segfault once a client connects into it...

 [2016-09-13 17:15 UTC] bukka@php.net

-Status: Assigned +Status: Closed

 [2016-09-29 15:25 UTC] spam2 at rhsoft dot net

the changelog of 7.0.12 RC 1 pretends that to be fixed, in fact it still fails, jsut built the RC1 (the 3 gd tests are because somebody renamed testfiles while they should be skipped at all when using systemd-gd)

i saw that pretty sure *randomly* fail with my PHP 7.0.11 build-tests using PGO (which is still broken https://bugs.php.net/bug.php?id=73111) and don't see any change here

Number of tests : 13389             11143
Tests skipped   : 2246 ( 16.8%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    4 (  0.0%) (  0.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    : 11139 ( 83.2%) (100.0%)
---------------------------------------------------------------------
Time taken      :  576 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #53504 imagettfbbox/imageftbbox gives incorrect values for bounding box [ext/gd/tests/bug53504.phpt]
Bug #73155 (imagegd2() writes wrong chunk sizes on boundaries) [ext/gd/tests/bug73155.phpt]
Bug #73159 (imagegd2(): unrecognized formats may result in corrupted files) [ext/gd/tests/bug73159.phpt]
Bug #73072: Invalid path SNI_server_certs causes segfault [ext/openssl/tests/bug73072.phpt]

 [2016-09-29 15:25 UTC] spam2 at rhsoft dot net

Related To: Bug #73072