[asterisk-bugs] [JIRA] (ASTERISK-23508) Memory Corruption in __ast_string_field_ptr_build_va
Arnd Schmitter (JIRA)
noreply at issues.asterisk.org
Thu Mar 20 07:45:18 CDT 2014
Arnd Schmitter created ASTERISK-23508:
-----------------------------------------
Summary: Memory Corruption in __ast_string_field_ptr_build_va
Key: ASTERISK-23508
URL: https://issues.asterisk.org/jira/browse/ASTERISK-23508
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Utilities/General
Affects Versions: 11.8.0
Environment: Centos 6.5 / x86_64
Reporter: Arnd Schmitter
We had serveral cases of memory corruption which occured inside this function, which resulted in random segmentation faults.
We have already found the cause of the corruption:
It happens when the variable space, at the start of the functions calculates to a value of 0.
When the variable "available" later gets calculated, it will make a underrun and because its unsigned, the value gets very high.
So the vsnprintf will always think there are enough bytes and write over the borders of the allocated memory area.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list