Skip to content

Commit f99e1eb

Browse files
devnexendevnexen
committed
triggers another ZendMM leak
1 parent e2691d8 commit f99e1eb

File tree

2 files changed

+22
-15
lines changed

2 files changed

+22
-15
lines changed

ext/snmp/snmp.c

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -631,8 +631,8 @@ static void php_snmp_zend_string_release_from_char_pointer(char *ptr) {
631631
zend_string_release(pptr);
632632
}
633633

634-
static void php_free_objid_query(struct objid_query *objid_query, zend_string* oid_str, zend_string *value_str, HashTable *value_ht, int st) {
635-
if (!oid_str) {
634+
static void php_free_objid_query(struct objid_query *objid_query, HashTable* oid_ht, zend_string *value_str, HashTable *value_ht, int st) {
635+
if (oid_ht) {
636636
for (int i = 0; i < objid_query->count; i ++) {
637637
snmpobjarg *arg = &objid_query->vars[i];
638638
if (st & SNMP_CMD_SET) {
@@ -698,7 +698,7 @@ static bool php_snmp_parse_oid(
698698
ZEND_HASH_FOREACH_VAL(oid_ht, tmp_oid) {
699699
zend_string *tmp = zval_try_get_string(tmp_oid);
700700
if (!tmp) {
701-
efree(objid_query->vars);
701+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
702702
return false;
703703
}
704704
objid_query->vars[objid_query->count].oid = ZSTR_VAL(tmp);
@@ -728,20 +728,20 @@ static bool php_snmp_parse_oid(
728728
zval new;
729729
ZVAL_COPY_VALUE(&new, tmp_type);
730730
if (!try_convert_to_string(&new)) {
731-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
731+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
732732
return false;
733733
}
734734
if (Z_STRLEN(new) != 1) {
735735
zend_value_error("Type must be a single character");
736-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
736+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
737737
return false;
738738
}
739739
pptr = Z_STRVAL(new);
740740
objid_query->vars[objid_query->count].type = *pptr;
741741
idx_type++;
742742
} else {
743743
php_error_docref(NULL, E_WARNING, "'%s': no type set", Z_STRVAL_P(tmp_oid));
744-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
744+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
745745
return false;
746746
}
747747
}
@@ -769,14 +769,14 @@ static bool php_snmp_parse_oid(
769769
if (idx_value < value_ht->nNumUsed) {
770770
zend_string *tmp = zval_try_get_string(tmp_value);
771771
if (!tmp) {
772-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
772+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
773773
return false;
774774
}
775775
objid_query->vars[objid_query->count].value = ZSTR_VAL(tmp);
776776
idx_value++;
777777
} else {
778778
php_error_docref(NULL, E_WARNING, "'%s': no value set", Z_STRVAL_P(tmp_oid));
779-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
779+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
780780
return false;
781781
}
782782
}
@@ -789,14 +789,14 @@ static bool php_snmp_parse_oid(
789789
if (st & SNMP_CMD_WALK) {
790790
if (objid_query->count > 1) {
791791
php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Multi OID walks are not supported!");
792-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
792+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
793793
return false;
794794
}
795795
objid_query->vars[0].name_length = MAX_NAME_LEN;
796796
if (strlen(objid_query->vars[0].oid)) { /* on a walk, an empty string means top of tree - no error */
797797
if (!snmp_parse_oid(objid_query->vars[0].oid, objid_query->vars[0].name, &(objid_query->vars[0].name_length))) {
798798
php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[0].oid);
799-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
799+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
800800
return false;
801801
}
802802
} else {
@@ -808,7 +808,7 @@ static bool php_snmp_parse_oid(
808808
objid_query->vars[objid_query->offset].name_length = MAX_OID_LEN;
809809
if (!snmp_parse_oid(objid_query->vars[objid_query->offset].oid, objid_query->vars[objid_query->offset].name, &(objid_query->vars[objid_query->offset].name_length))) {
810810
php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[objid_query->offset].oid);
811-
php_free_objid_query(objid_query, oid_str, value_str, value_ht, st);
811+
php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
812812
return false;
813813
}
814814
}
@@ -1285,12 +1285,12 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
12851285

12861286
if (session_less_mode) {
12871287
if (!netsnmp_session_init(&session, version, a1, a2, timeout, retries)) {
1288-
php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
1288+
php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
12891289
netsnmp_session_free(&session);
12901290
RETURN_FALSE;
12911291
}
12921292
if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL)) {
1293-
php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
1293+
php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
12941294
netsnmp_session_free(&session);
12951295
/* Warning message sent already, just bail out */
12961296
RETURN_FALSE;
@@ -1301,7 +1301,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
13011301
session = snmp_object->session;
13021302
if (!session) {
13031303
zend_throw_error(NULL, "Invalid or uninitialized SNMP object");
1304-
php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
1304+
php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
13051305
RETURN_THROWS();
13061306
}
13071307

@@ -1335,7 +1335,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
13351335
netsnmp_ds_set_int(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_OID_OUTPUT_FORMAT, glob_snmp_object.oid_output_format);
13361336
}
13371337

1338-
php_free_objid_query(&objid_query, oid_str, value_str, value_ht, st);
1338+
php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
13391339
}
13401340
/* }}} */
13411341

ext/snmp/tests/gh16959.phpt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,12 @@ var_dump(snmpget($hostname, "", $bad_object_ids) === false);
1919
var_dump($bad_object_ids);
2020
try {
2121
snmpget($hostname, "", [0 => new stdClass()]);
22+
} catch (Throwable $e) {
23+
echo $e->getMessage() . PHP_EOL;
24+
}
25+
26+
try {
27+
snmp2_set($hostname, $communityWrite, $bad_object_ids, array(new stdClass()), array(null));
2228
} catch (Throwable $e) {
2329
echo $e->getMessage();
2430
}
@@ -48,3 +54,4 @@ array(4) {
4854
int(0)
4955
}
5056
Object of class stdClass could not be converted to string
57+
Object of class stdClass could not be converted to string

0 commit comments

Comments
 (0)