[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rampart-c-dev
Subject:    [jira] [Created] (AXIS2C-1600) buffer overrun by patching NUL behind stream buffer
From:       "Heiner Marxen (JIRA)" <jira () apache ! org>
Date:       2012-06-21 15:48:43
Message-ID: 2031197075.39287.1340293723064.JavaMail.jiratomcat () issues-vm
[Download RAW message or body]

Heiner Marxen created AXIS2C-1600:
-------------------------------------

             Summary: buffer overrun by patching NUL behind stream buffer
                 Key: AXIS2C-1600
                 URL: https://issues.apache.org/jira/browse/AXIS2C-1600
             Project: Axis2-C
          Issue Type: Bug
          Components: core/transport, util, xml/om
    Affects Versions: 1.6.0
            Reporter: Heiner Marxen


In functions axiom_data_source_serialize() and \
axis2_simple_http_svr_conn_write_respond() the buffer obtained via \
axutil_stream_get_buffer() and axutil_stream_get_len() is terminated with a NUL byte \
by patching behind the filled data. If the buffer is exactly full at that time, that \
NUL is patched into not allocated memory, which may currupt the malloc memory arena \
(corrupt the heap).

We have patched "stream.c" to always allocate one more byte than is necessary or \
used, so that always at least one more byte of memory is allocated. That made our \
crashes go away.

A more clean solution would be to have stream.c offer a function that guarantees that \
additional byte (eventually reallocating), which would be called prior to \
axutil_stream_get_buffer(), whenever such a NUL byte patching is required.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]