Skip to content

ext/session: Fix NULL pointer dereference in SessionHandler::create_sid()#22580

Open
jorgsowa wants to merge 1 commit into
php:masterfrom
jorgsowa:fix/session-handler-create-sid-null-deref
Open

ext/session: Fix NULL pointer dereference in SessionHandler::create_sid()#22580
jorgsowa wants to merge 1 commit into
php:masterfrom
jorgsowa:fix/session-handler-create-sid-null-deref

Conversation

@jorgsowa

@jorgsowa jorgsowa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

s_create_sid() can return NULL when php_random_bytes_throw() fails (e.g. CSPRNG exhaustion). Every other internal caller of s_create_sid() in session.c (php_session_initialize, session_regenerate_id) already NULL-checks the result.

It's not possible to test it through .phpt test file. Should it be pointed to the PHP8.4 branch?

s_create_sid() can return NULL when php_random_bytes_throw() fails
(e.g. CSPRNG exhaustion), but RETURN_STR() dereferences the string
unconditionally. Every other internal caller of s_create_sid() in
session.c (php_session_initialize, session_regenerate_id) already
NULL-checks the result; this PHP-facing method, reachable from any
userland SessionHandler subclass via create_sid(), did not.

No dedicated regression test is added: forcing php_random_bytes_throw()
to fail is not portably reproducible from a .phpt test (it's a raw
getrandom() syscall on Linux and CCRandomGenerateBytes on macOS, neither
of which can be faulted from userland), which is also why the existing
NULL-checks this mirrors in session.c have none either.
@jorgsowa jorgsowa requested a review from Girgias as a code owner July 3, 2026 17:31
@jorgsowa jorgsowa changed the title Fix NULL pointer dereference in SessionHandler::create_sid() ext/session: Fix NULL pointer dereference in SessionHandler::create_sid() Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant