Fixed MOPB-22-2007:PHP session_regenerate_id() Double Free Vulnerability

# Discovered by Stefan Esser

diff --git a/ext/session/session.c b/ext/session/session.c
index 2b20dde0aac4ba3c4dde6509d36a91a1aaca9bf7..72606a22d9aea484000d499319305494c55cac88 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -846,6 +846,7 @@ new_session:
        } else if (PS(invalid_session_id)) { /* address instances where the session read fails due to an invalid id */
                PS(invalid_session_id) = 0;
                efree(PS(id));
+               PS(id) = NULL;
                goto new_session;
        }
 }
@@ -1575,6 +1576,7 @@ PHP_FUNCTION(session_regenerate_id)
                                RETURN_FALSE;
                        }
                        efree(PS(id));
+                       PS(id) = NULL;
                }
        
                PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);