[asterisk-bugs] [JIRA] (ASTERISK-23508) Memory Corruption in __ast_string_field_ptr_build_va

Arnd Schmitter (JIRA) noreply at issues.asterisk.org
Wed Mar 26 04:21:19 CDT 2014


    [ https://issues.asterisk.org/jira/browse/ASTERISK-23508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216830#comment-216830 ] 

Arnd Schmitter commented on ASTERISK-23508:
-------------------------------------------

I don't think, that this will fix the corruption problem.

available can now get negative, but when the vnsprintf function gets called, it will be converted to an unsigned again. Look at the function declaration of vnsprinft, The second parameter is of type size_t.

In my opinion, it would be better to explicit set available to 0 if it is negative, before the call to vnsprinft.


> Memory Corruption in __ast_string_field_ptr_build_va
> ----------------------------------------------------
>
>                 Key: ASTERISK-23508
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23508
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Utilities/General
>    Affects Versions: 11.8.0
>         Environment: Centos 6.5 / x86_64
>            Reporter: Arnd Schmitter
>         Attachments: issueA23508_stringfieldptr_corruption.patch
>
>
> We had serveral cases of memory corruption which occured inside this function, which resulted in random segmentation faults.
> We have already found the cause of the corruption:
> It happens when the variable space, at the start of the functions calculates to a value of 0.
> When the variable "available" later gets calculated, it will make a underrun and because its unsigned, the value gets very high.
> So the vsnprintf will always think there are enough bytes and write over the borders of the allocated memory area.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list