From: cjbj at hotmail dot com
Operating system: n/a
PHP version: 5.0.0RC3
PHP Bug Type: OCI8 related
Bug description: Potential race during first connection
Description:
------------
The mutex locking in _oci_open_session() in
php-5.0.0RC3/ext/oci8/oci.c at about line 2676 may allow a
possible race. This was discovered from code inspection so I could be
wrong.
The current code is:
if (zend_ts_hash_find(persistent_sessions, hashed_details.c,
hashed_details.len+1, (void **) &session_list) != SUCCESS) {
zend_llist tmp;
/* first session, set up a session list */
zend_llist_init(&tmp, sizeof(oci_session), (llist_dtor_func_t)
_session_pcleanup, 1);
zend_ts_hash_update(persistent_sessions, hashed_details.c,
hashed_details.len+1, &tmp, sizeof(zend_llist), (void **) &session_list);
} else {
mutex_lock(mx_lock);
/* session list found, search for an idle session or an already
opened session by the current thread */
session = zend_llist_get_first(session_list);
while ((session != NULL) && session->thread && (session->thread !=
thread_id())) {
session = zend_llist_get_next(session_list);
}
if (session != NULL) {
/* mark session as busy */
session->thread = thread_id();
}
mutex_unlock(mx_lock);
}
I don't understand why there is no locking around the
zend_llist_init() or even zend_ts_hash_find() calls. If multiple
users log in at once then does zend_ts_hash_find() guarentee to return
SUCCESS for only one thread? If not, a suggested change is:
mutex_lock(mx_lock);
if (zend_ts_hash_find(persistent_sessions, hashed_details.c,
hashed_details.len+1, (void **) &session_list) != SUCCESS) {
zend_llist tmp;
/* first session, set up a session list */
zend_llist_init(&tmp, sizeof(oci_session), (llist_dtor_func_t)
_session_pcleanup, 1);
zend_ts_hash_update(persistent_sessions, hashed_details.c,
hashed_details.len+1, &tmp, sizeof(zend_llist), (void **) &session_list);
} else {
/* session list found, search for an idle session or an already
opened session by the current thread */
session = zend_llist_get_first(session_list);
while ((session != NULL) && session->thread && (session->thread !=
thread_id())) {
session = zend_llist_get_next(session_list);
}
if (session != NULL) {
/* mark session as busy */
session->thread = thread_id();
}
}
mutex_unlock(mx_lock);
--
Edit bug report at http://bugs.php.net/?id=29012&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29012&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29012&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=29012&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=29012&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=29012&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=29012&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=29012&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=29012&r=support
Expected behavior: http://bugs.php.net/fix.php?id=29012&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=29012&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=29012&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=29012&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29012&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=29012&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=29012&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=29012&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29012&r=float
