Bug#702872: Segfaults immediately on attempting a radius connection

Tue, 12 Mar 2013 07:45:13 -0700 

Hi,

> On a 64 bit wheezy system, the radius module immediately segfaults
> when attempting Radius authentication.

I found the issue. In radius-1.2.5/radius.c 
PHP_FUNCTION(radius_create_request), 'code' is declared an int, but 
zend_parse_parameters is passed "rl", asking to parse the parameter into a 
long:

        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl", &z_radh, 
&code) == FAILURE) {

This fails on 64 bit platforms. This case is actually documented in
http://svn.php.net/viewvc/php/php-
src/trunk/README.PARAMETER_PARSING_API?view=markup
which explicitly warns against this causing segfaults around line 75.

The attached simple patch hence resolves the issue and I can confirm that both 
my application and my minimal testcase do not crash anymore.

I'm planning to just upload the attached NMU to resolve the problem as soon as 
possible as the module is currently unusable, there are two unacked NMU's 
against the package already and we're close to release.


Cheers,
Thijs

-- 
Thijs Kinkhorst <[email protected]> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

diff -u php-radius-1.2.5/debian/changelog php-radius-1.2.5/debian/changelog
--- php-radius-1.2.5/debian/changelog
+++ php-radius-1.2.5/debian/changelog
@@ -1,3 +1,11 @@
+php-radius (1.2.5-2.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Initialise type parameter to radius_create_request() as long, to avoid
+    segfaulting in zend_parse_parameters() (Closes: #702872).
+
+ -- Thijs Kinkhorst <[email protected]>  Tue, 12 Mar 2013 15:04:53 +0100
+
 php-radius (1.2.5-2.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u php-radius-1.2.5/radius-1.2.5/radius.c php-radius-1.2.5/radius-1.2.5/radius.c
--- php-radius-1.2.5/radius-1.2.5/radius.c
+++ php-radius-1.2.5/radius-1.2.5/radius.c
@@ -265,7 +265,7 @@
 /* {{{ proto bool radius_create_request(desc, code) */
 PHP_FUNCTION(radius_create_request)
 {
-	int code;
+	long code;
 	radius_descriptor *raddesc;
 	zval *z_radh;

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to