[asterisk-bugs] [JIRA] (ASTERISK-23508) Memory Corruption in __ast_string_field_ptr_build_va

Arnd Schmitter (JIRA) noreply at issues.asterisk.org
Wed Mar 26 01:45:18 CDT 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216823#comment-216823 ] 

Arnd Schmitter commented on ASTERISK-23508:
-------------------------------------------

Before i can upload a patch i would first need to sign a license agreement and for this i must talk with our legal deparment. But on the other hand we would like to see the problem fixed ;)

There is only a little fix needed. Below is part of the official code. If you look at the else case, there you can see that available is space minus alignment size, If space is < alignment size, available would get negative  (if it wasn't a unsigned). So I just put a if .. then .. else structure arround the instruction and set available = 0 if the calculation would get negative.

        if (*ptr != __ast_string_field_empty) {
                target = (char *) *ptr;
                available = AST_STRING_FIELD_ALLOCATION(*ptr);
                if (*ptr == mgr->last_alloc) {
                        available += space;
                }
        } else {
                /* pool->used is always a multiple of ast_alignof(ast_string_field_allocation)
                 * so we don't need to re-align anything here.
                 */
                target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation);
               available = space - ast_alignof(ast_string_field_allocation);
        }

The corruption was fixed on my system by the way. Itis now running for a week now without any corruptions.


> Memory Corruption in __ast_string_field_ptr_build_va
> ----------------------------------------------------
>
>                 Key: ASTERISK-23508
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23508
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Utilities/General
>    Affects Versions: 11.8.0
>         Environment: Centos 6.5 / x86_64
>            Reporter: Arnd Schmitter
>
> We had serveral cases of memory corruption which occured inside this function, which resulted in random segmentation faults.
> We have already found the cause of the corruption:
> It happens when the variable space, at the start of the functions calculates to a value of 0.
> When the variable "available" later gets calculated, it will make a underrun and because its unsigned, the value gets very high.
> So the vsnprintf will always think there are enough bytes and write over the borders of the allocated memory area.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list