test(config): regression test for buf-aliasing heap overflow in zai_config_find_and_set_value

morrisonlevi · claude · morrisonlevi · commit f30f5e3aeed0 · 2026-03-31T18:19:58.000-06:00
When a DD_ env var is cached as a short persistent allocation and the corresponding OTEL fallback is invoked, the code (pre-fix) passes the aliased buf—still pointing at that tiny allocation—directly to the fallback. ddtrace_conf_otel_propagators then writes up to 30 bytes via memcpy, overflowing the allocation. The trigger: DD_TRACE_PROPAGATION_STYLE=, (a bare comma). The comma is non-empty so PHP's proc_open passes it to the child process normally. SET_LOWERCASE decode rejects all-separator input (zero set elements), leaving value.len == 0, which causes the fallback to fire with the aliased 2-byte buffer. Under ASAN this crashes the process during MINIT. The fix (commit 433ca60) allocates a fresh ZAI_ENV_MAX_BUFSIZ buffer for every fallback call so the aliased pointer is never used as the write destination. Note: DD_TRACE_PROPAGATION_STYLE= (empty string) cannot be used because PHP's proc_open silently drops env-array entries with empty-string values. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/tests/ext/otel_propagators_empty_dd_propagation_style.phpt b/tests/ext/otel_propagators_empty_dd_propagation_style.phpt
@@ -0,0 +1,32 @@
+--TEST--
+OTEL_PROPAGATORS fallback uses correct buffer when DD_TRACE_PROPAGATION_STYLE fails to decode
+--DESCRIPTION--
+Regression test for a heap buffer overflow in zai_config_find_and_set_value.
+
+When DD_TRACE_PROPAGATION_STYLE is set to a value that fails to decode (e.g. a
+bare comma, which is all-separators and produces an empty set), the sys env cache
+stores a small persistent allocation for the raw value. The decode failure leaves
+value.len == 0, so the OTEL fallback is triggered. On the unfixed code, buf.ptr
+is still aliased to that small allocation; ddtrace_conf_otel_propagators then
+writes up to 30 bytes into it via memcpy, causing a heap-buffer-overflow.
+
+Under ASAN, the unfixed code crashes the process during MINIT before any PHP
+code runs; the test captures no output and fails. The fix uses a fresh 32 KB
+buffer for every fallback call, preventing the overflow.
+
+Note: an empty string (DD_TRACE_PROPAGATION_STYLE=) cannot be used here because
+PHP's proc_open silently drops env-array entries with empty-string values. A bare
+comma (",") is non-empty so proc_open passes it, but SET_LOWERCASE decode rejects
+it (all-separator input produces zero set elements), triggering the same
+fallback+overflow path.
+--SKIPIF--
+<?php if (!extension_loaded('ddtrace')) die('skip: ddtrace extension required'); ?>
+--ENV--
+DD_TRACE_PROPAGATION_STYLE=,
+OTEL_PROPAGATORS=tracecontext,b3
+--FILE--
+<?php
+var_dump(ini_get("datadog.trace.propagation_style"));
+?>
+--EXPECT--
+string(29) "tracecontext,b3 single header"
