[asterisk-bugs] [JIRA] (ASTERISK-23516) Memory Corruption in __ast_string_field_ptr_build_va

Rusty Newton (JIRA) noreply at issues.asterisk.org
Mon Mar 24 18:34:19 CDT 2014


Rusty Newton created ASTERISK-23516:
---------------------------------------

             Summary: Memory Corruption in __ast_string_field_ptr_build_va
                 Key: ASTERISK-23516
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23516
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Utilities/General
    Affects Versions: 11.8.0
         Environment: Centos 6.5 / x86_64
            Reporter: Arnd Schmitter


We had serveral cases of memory corruption which occured inside this function, which resulted in random segmentation faults.

We have already found the cause of the corruption:

It happens when the variable space, at the start of the functions calculates to a value of 0.
When the variable "available" later gets calculated, it will make a underrun and because its unsigned, the value gets very high.
So the vsnprintf will always think there are enough bytes and write over the borders of the allocated memory area.








--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list