So there was no error checking. In fact the hostname of the server was wrong, this is why the connection did not succeed. After I fixed the hostname, the code ran without the segmentation fault. It made no difference, if I use "define" or put in the values for the connection als strings.
So the bug is triggered, if the hostname for mssql_connect does not exist.
Hi Clint,
I just put another 3 hours into it:
The bug happens in this source code line:
}
of php_mssql_ do_connect. I found this out by disassembling the code in the core dump:
Dump of assembler code for function php_mssql_ do_connect: 04c330 <+0>: push %r14 04c332 <+2>: push %r13 04c334 <+4>: push %r12 04c336 <+6>: mov %r9d,%r12d 04c339 <+9>: push %rbp 04c33a <+10>: mov %edi,%ebp 04c33c <+12>: push %rbx 04c33d <+13>: mov %rsi,%rbx 04c340 <+16>: lea 0x2ef8(%rip),%rsi # 0x7f1d4804f23f 04c347 <+23>: sub $0xc0,%rsp 04c34e <+30>: mov %fs:0x28,%rax 04c357 <+39>: mov %rax,0xb8(%rsp) 04c35f <+47>: xor %eax,%eax 04c361 <+49>: lea 0x8f(%rsp),%rax 04c369 <+57>: lea 0x88(%rsp),%rcx 04c371 <+65>: lea 0x78(%rsp),%rdx 04c376 <+70>: lea 0x84(%rsp),%r9 04c37e <+78>: lea 0x70(%rsp),%r8 04c383 <+83>: movq $0x0,0x78(%rsp) 04c38c <+92>: mov %rax,0x10(%rsp) 04c391 <+97>: lea 0x80(%rsp),%rax 04c399 <+105>: movq $0x0,0x70(%rsp) 04c3a2 <+114>: movq $0x0,0x68(%rsp) 04c3ab <+123>: movb $0x0,0x8f(%rsp) 04c3b3 <+131>: mov %rax,0x8(%rsp) 04c3b8 <+136>: lea 0x68(%rsp),%rax 04c3bd <+141>: mov %rax,(%rsp) 04c3c1 <+145>: xor %eax,%eax 04c3c3 <+147>: callq 0x7f1d4804a768 <zend_parse_ parameters@ plt> 04c3c8 <+152>: cmp $0xffffffffffff ffff,%eax 04c3cb <+155>: je 0x7f1d4804c7b3 <php_mssql_ do_connect+ 1155> 04c3d1 <+161>: cmpl $0xff,0x88(%rsp) 04c3dc <+172>: jle 0x7f1d4804c3ea <php_mssql_ do_connect+ 186> 04c3de <+174>: mov 0x78(%rsp),%rax 04c3e3 <+179>: movb $0x0,0xff(%rax) 04c3ea <+186>: cmpl $0xff,0x84(%rsp) 04c3f5 <+197>: jle 0x7f1d4804c403 <php_mssql_ do_connect+ 211> 04c3f7 <+199>: mov 0x70(%rsp),%rax 04c3fc <+204>: movb $0x0,0xff(%rax) 04c403 <+211>: cmpl $0xff,0x80(%rsp) 04c40e <+222>: jle 0x7f1d4804c41c <php_mssql_ do_connect+ 236> 04c410 <+224>: mov 0x68(%rsp),%rax 04c41c <+236>: cmp $0x4,%ebp 04c41f <+239>: jbe 0x7f1d4804c7e0 <php_mssql_ do_connect+ 1200> 04c425 <+245>: cmpq $0x0,0x60(%rsp) 04c42b <+251>: lea 0x2e3a(%rip),%rdx # 0x7f1d4804f26c 04c432 <+258>: je 0x7f1d4804c92f <php_mssql_ do_connect+ 1535> 04c438 <+264>: mov 0x206d2a(%rip),%edi # 0x7f1d48253168 <mssql_globals+104> 04c43e <+270>: callq 0x7f1d4804a508 <dbsetlogintime @plt> 04c443 <+275>: mov 0x206d27(%rip),%edi # 0x7f1d48253170 <mssql_globals+112> 04c449 <+281>: callq 0x7f1d4804a468 <dbsettime@plt> 04c44e <+286>: callq 0x7f1d4804a788 <dblogin@plt>
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
=> 0x00007f1d4804c415 <+229>: movb $0x0,0xff(%rax)
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
0x00007f1d48
Having this hint, I checked the code of the PHP-script which was:
define ("MSSQL_SERVER", "www");
define ("MSSQL_USER", "xxx");
define ("MSSQL_PASSWORD", "yyy");
define ("MSSQL_DATABASE", "zzz");
mssql_connect( MSSQL_SERVER, MSSQL_USER, MSSQL_PASSWORD); db(MSSQL_ DATABASE) ;
mssql_select_
So there was no error checking. In fact the hostname of the server was wrong, this is why the connection did not succeed. After I fixed the hostname, the code ran without the segmentation fault. It made no difference, if I use "define" or put in the values for the connection als strings.
So the bug is triggered, if the hostname for mssql_connect does not exist.