https://bugzilla.novell.com/show_bug.cgi?id=473915 Summary: PHP Function Generates: ALERT - canary mismatch on efree() Classification: openSUSE Product: openSUSE 10.3 Version: Final Platform: 32bit OS/Version: openSUSE 10.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: klucas@teksavvy.com QAContact: qa@suse.de Found By: --- Created an attachment (id=271237) --> (https://bugzilla.novell.com/attachment.cgi?id=271237) This is the full php script where the function causing the problem appears User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.5) Gecko/2008121300 SUSE/3.0.5-1.1 Firefox/3.0.5 I've got a function in one of my php scripts that periodically errors out with: [Wed Jan 21 11:20:21 2009] [error] [client 10.0.10.13] ALERT - canary mismatch on efree() - heap overflow detected (attacker '10.0.10.13', file '/srv/www/htdocs/sales_by_department.php', line 1335), referer: http://linux-aqep/sales_by_department.php the line 1335 is the line calling the function get_LY_Non_Merch($Location, $FromDate, $ToDate) (see below). The reason I use the pear:DB module for one database and odbc_connect() for the other is that originally I had them both connecting with pear:DB but couldn't figure out how to set the 'SQL_CUR_USE_IF_NEEDED' with it so I just switched it to odbc_connect(). Here's the function: function get_LY_Non_Merch($Location, $FromDate, $ToDate){ $sql = " SELECT DISTINCT ((SUM((SalesHistoryDetail.SaleAmt)) + SUM((SalesHistoryDetail.SaleDisc))) - (SUM((SalesHistoryDetail.RtnAmt)) + SUM((SalesHistoryDetail.RtnDisc))) - (SUM((SalesHistoryDetail.SaleDisc)) - SUM((SalesHistoryDetail.RtnDisc)))) AS NonMerch FROM SalesHistoryHeader INNER JOIN SalesHistoryDetail ON SalesHistoryHeader.SHMID = SalesHistoryDetail.SHMID INNER JOIN Location ON SalesHistoryHeader.LocationID = Location.LocationID INNER JOIN SalesTypes ON SalesHistoryDetail.TypeID = SalesTypes.TypeID WHERE SalesTypes.Description = 'Non-Merch' AND SalesHistoryHeader.PostDate >= '$FromDate' AND SalesHistoryHeader.PostDate <= '$ToDate' AND Location.Description = '$Location' "; $dsn = "Winprism"; $user = "readonly"; $pass = "passwd"; $db = odbc_connect($dsn, $user, $pass, SQL_CUR_USE_IF_NEEDED); $q = odbc_exec($db, $sql); $db2 = DB::connect("mysql://klucas:passwd@localhost/sales_by_department"); if (DB::iserror($db2)) { die($db2->getMessage()); } while (odbc_fetch_into($q, $row)){ $sql3 = " UPDATE sales_by_department.dcc_sales SET dcc_sales.LYNetSales = '$row[0]' WHERE dcc_sales.Department = 'NM' "; usleep(4); send_query($sql3, $db2); } // end while //disconnect($db2); //odbc_close($db); return 0; usleep(20); } // end function definition for get_LY_Non_Merch() I've also tried it this way as the query only will ever return 1 value: function get_LY_Non_Merch($Location, $FromDate, $ToDate){ $sql = " SELECT TOP 1 ((SUM((SalesHistoryDetail.SaleAmt)) + SUM((SalesHistoryDetail.SaleDisc))) - (SUM((SalesHistoryDetail.RtnAmt)) + SUM((SalesHistoryDetail.RtnDisc))) - (SUM((SalesHistoryDetail.SaleDisc)) - SUM((SalesHistoryDetail.RtnDisc)))) AS NonMerch FROM SalesHistoryHeader INNER JOIN SalesHistoryDetail ON SalesHistoryHeader.SHMID = SalesHistoryDetail.SHMID INNER JOIN Location ON SalesHistoryHeader.LocationID = Location.LocationID INNER JOIN SalesTypes ON SalesHistoryDetail.TypeID = SalesTypes.TypeID WHERE SalesTypes.Description = 'Non-Merch' AND SalesHistoryHeader.PostDate >= '$FromDate' AND SalesHistoryHeader.PostDate <= '$ToDate' AND Location.Description = '$Location' "; $dsn = "Winprism"; $user = "readonly"; $pass = "XXXXXXXX"; $db = odbc_connect($dsn, $user, $pass, SQL_CUR_USE_IF_NEEDED); $q = odbc_exec($db, $sql); $db2 = DB::connect("mysql://klucas:XXXXXXXX@localhost/sales_by_department"); if (DB::iserror($db2)) { die($db2->getDebugInfo()); } odbc_fetch_row($q); $field = odbc_result($q, 1); //odbc_fetch_into($q, $row); $sql2 = " UPDATE sales_by_department.dcc_sales SET dcc_sales.LYNetSales = '$field' WHERE dcc_sales.Department = 'NM' "; //usleep(4); send_query($sql2, $db2); disconnect($db2); //odbc_close($db); return 0; //usleep(20); } // end function definition for get_LY_Non_Merch() I'll attach the entire script to this ticket. The first database that I connect to with the ODBC functions is a MSSQL 2000 one and the second is a locally hosted MySQL one (ver 5.0.45-22.7). Other version info: PHP 5.2.8-32.3 Apache 2.2.4-70.6 apache2-mod_php5 5.2.8-32.3 freetds 0.82 -- I've included my odbc.ini file and odbcinst.ini file attached See also the thread in the openSUSE forums at http://forums.opensuse.org/programming-scripting/405636-php-function-questio... Also interesting is that the error comes up more frequently (almost every time) when the database disconnects are uncommented. Reproducible: Sometimes Steps to Reproduce: 1. Set up an ODBC connection to a MS-SQL database using FreTDS 2. Set up a MySQL database locally 3. With Apache running and PHP installed point a web browser to the script and run it for 'all stores' 4. Watch for the Canary mismatch in /var/log/apache2/error.log Actual Results: Sometimes it completes normally sometimes it errors out with the above message and the script stops running. Expected Results: Should consistently complete. The account used to read the mssql database as the user name suggests is a read-only account. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.