[asterisk-bugs] [JIRA] (ASTERISK-23508) Memory Corruption in __ast_string_field_ptr_build_va
Walter Doekes (JIRA)
noreply at issues.asterisk.org
Wed Mar 26 03:25:19 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216826#comment-216826 ]
Walter Doekes commented on ASTERISK-23508:
------------------------------------------
I attached {{issueA23508_stringfieldptr_corruption.patch}} based on your observations.
Instead of adding an extra if, I switched to signed size_t's, both for available and needed, which both could get negative. Also I added an extra check for when vsnprintf returns negative.
This should probably fix your issue. Please confirm. And thanks for the analysis :)
> Memory Corruption in __ast_string_field_ptr_build_va
> ----------------------------------------------------
>
> Key: ASTERISK-23508
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23508
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Utilities/General
> Affects Versions: 11.8.0
> Environment: Centos 6.5 / x86_64
> Reporter: Arnd Schmitter
> Attachments: issueA23508_stringfieldptr_corruption.patch
>
>
> We had serveral cases of memory corruption which occured inside this function, which resulted in random segmentation faults.
> We have already found the cause of the corruption:
> It happens when the variable space, at the start of the functions calculates to a value of 0.
> When the variable "available" later gets calculated, it will make a underrun and because its unsigned, the value gets very high.
> So the vsnprintf will always think there are enough bytes and write over the borders of the allocated memory area.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list