ext/session: Fix NULL pointer dereference in SessionHandler::create_sid()#22580
Open
jorgsowa wants to merge 1 commit into
Open
ext/session: Fix NULL pointer dereference in SessionHandler::create_sid()#22580jorgsowa wants to merge 1 commit into
jorgsowa wants to merge 1 commit into
Conversation
s_create_sid() can return NULL when php_random_bytes_throw() fails (e.g. CSPRNG exhaustion), but RETURN_STR() dereferences the string unconditionally. Every other internal caller of s_create_sid() in session.c (php_session_initialize, session_regenerate_id) already NULL-checks the result; this PHP-facing method, reachable from any userland SessionHandler subclass via create_sid(), did not. No dedicated regression test is added: forcing php_random_bytes_throw() to fail is not portably reproducible from a .phpt test (it's a raw getrandom() syscall on Linux and CCRandomGenerateBytes on macOS, neither of which can be faulted from userland), which is also why the existing NULL-checks this mirrors in session.c have none either.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
s_create_sid()can return NULL whenphp_random_bytes_throw()fails (e.g. CSPRNG exhaustion). Every other internal caller ofs_create_sid()in session.c (php_session_initialize, session_regenerate_id) already NULL-checks the result.It's not possible to test it through .phpt test file. Should it be pointed to the PHP8.4 branch?