- Notifications
You must be signed in to change notification settings - Fork8k
Closed
Assignees
Description
Description
The following code:
<?phpclass soapService{function__construct() { }functionopenSession($user) {return ["OK","200"];//<-- The array leads into the area that leads to the error. }}$sc =newSoapServer(__dir__ .'/service.wsdl');$sc->setClass("soapService");$sc->handle();
with thisservice.wsdl file:
<?xml version="1.0" encoding="utf-8"?><definitionsname="soapService"targetNamespace="urn:soapService"xmlns:typens="urn:soapService"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"xmlns="http://schemas.xmlsoap.org/wsdl/"> <messagename="openSession"> <partname="user"type="xsd:string" /> </message> <messagename="openSessionResponse"> <partname="status"type="xsd:string" /> <partname="error_code"type="xsd:string" /> </message> <portTypename="soapServicePortType"> <operationname="openSession"> <documentation>Service Call: openSession</documentation> <inputmessage="typens:openSession" /> <outputmessage="typens:openSessionResponse" /> </operation> </portType> <bindingname="soapServiceBinding"type="typens:soapServicePortType"> <soap:bindingstyle="rpc"transport="http://schemas.xmlsoap.org/soap/http" /> <operationname="openSession"> <soap:operationsoapAction="urn:openSession" /> <input> <soap:bodynamespace="urn:soapService"use="encoded"encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" /> </input> <output> <soap:bodynamespace="urn:soapService"use="encoded"encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" /> </output> </operation> </binding> <servicename="soapServiceService"> <portname="soapServicePort"binding="typens:soapServiceBinding"> <soap:addresslocation="###PHP_SELF###" /> </port> </service></definitions>
Resulted in this a segfault with gdb output:
Program received signal SIGSEGV, Segmentation fault.0x00007f60ce1f1c75 in __strlen_avx2 () from /lib64/libc.so.6(gdb) bt#0 0x00007f60ce1f1c75 in __strlen_avx2 () from /lib64/libc.so.6#1 0x00007f60c1cdeb6d in get_param (function=function@entry=0x7f60cc2720c0, param_name=param_name@entry=0x18 <error: Cannot access memory ataddress0x18>, index=<optimized out>, response=response@entry=1) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:3978#2 0x00007f60c1cdfe54 in serialize_response_call2 (body=body@entry=0x557c1ae411d0, function=function@entry=0x7f60cc2720c0, function_name=function_name@entry=0x7f60cc256078"openSessionResponse", uri=uri@entry=0x7f60cc2660c0"urn:soapService", ret=ret@entry=0x7ffcc3881630, version=version@entry=1, main=1, node=0x0) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:3292#3 0x00007f60c1ce509b in serialize_response_call (function=0x7f60cc2720c0, function_name=0x7f60cc256078 "openSessionResponse", uri=0x7f60cc2660c0"urn:soapService", ret=0x7ffcc3881630, headers=0x0, version=1) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:3660#4 0x00007f60c1ced386 in zim_SoapServer_handle (execute_data=0x7f60cc213090, return_value=<optimized out>) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:1484#5 0x00007f60cbcbe4f5 in xdebug_execute_internal () from /opt/remi/php82/root/usr/lib64/php/modules/xdebug.so#6 0x0000557c196a02c8 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/Zend/zend_vm_execute.h:1844#7 execute_ex (ex=0x18) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/Zend/zend_vm_execute.h:56047#8 0x00007f60cbcbda4c in xdebug_execute_ex () from /opt/remi/php82/root/usr/lib64/php/modules/xdebug.so#9 0x0000557c196a1932 in zend_execute (op_array=0x7f60cc280000, return_value=0x0) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/Zend/zend_vm_execute.h:60379#10 0x0000557c1962ed15 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/Zend/zend.c:1780#11 0x0000557c195c849a in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/main/main.c:2537#12 0x0000557c1946e662 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/sapi/fpm/fpm/fpm_main.c:1891(gdb)frame2#2 0x00007f60c1cdfe54 in serialize_response_call2 (body=body@entry=0x557c1ae411d0, function=function@entry=0x7f60cc2720c0, function_name=function_name@entry=0x7f60cc256078"openSessionResponse", uri=uri@entry=0x7f60cc2660c0"urn:soapService", ret=ret@entry=0x7ffcc3881630, version=version@entry=1, main=1, node=0x0) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:32923292parameter = get_param(function, ZSTR_VAL(param_name), param_index, TRUE);(gdb) infolocals _z =0x557c1b8bf740__ht =0x557c1b8bf700__key =0x0_idx =1_count =2__h = <optimized out>_size = <optimized out>__z =0x557c1b8bf750data =0x557c1b8bf740i =0param_name =0x0param_index = <optimized out>method = <optimized out>param = <optimized out>parameter = <optimized out>param_count = <optimized out>style = <optimized out>use = <optimized out>ns = <optimized out>(gdb)frame1#1 0x00007f60c1cdeb6d in get_param (function=function@entry=0x7f60cc2720c0, param_name=param_name@entry=0x18 <error: Cannot access memory ataddress0x18>, index=<optimized out>, response=response@entry=1) at /usr/src/debug/php82-php-8.2.0~rc3-16.el8.remi.x86_64/ext/soap/soap.c:39783978if ((tmp = zend_hash_str_find_ptr(ht, param_name, strlen(param_name))) != NULL) {(gdb) infolocals tmp = <optimized out>ht =0x7f60cc260428
In frame 2 the varparam_name is from typezend_string but in frame 1 achar* is expected. The type conflict leads to0x18 not being recognized asnull in the if statement before.
But I expected this output instead:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelopexmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:ns1="urn:soapService"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:openSessionResponse><statusxsi:type="xsd:string">OK</status><error_codexsi:type="xsd:string">200</error_code></ns1:openSessionResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
After we call it with:
curl -L --request POST --data'<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:soapService" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/s<SOAP-ENV:Body><ns1:openSession><user xsi:type="xsd:string">istoph</user></ns1:openSession></SOAP-ENV:Body></SOAP-ENV:Envelope>' http://localhost:8080/soap/ -H"Content-Type: text/xml; charset=UTF-8"
In version PHP 5.6.32 this example still works. Between PHP 7.0 and 8.2 we could see the failure.
PHP Version
PHP 8.2.0
Operating System
Rhel 8