[svn-commits] wdoekes: branch 11 r420715 - in /branches/11: ./ main/utils.c

SVN commits to the Digium repositories svn-commits at lists.digium.com
Mon Aug 11 05:36:42 CDT 2014 

Author: wdoekes
Date: Mon Aug 11 05:36:38 2014
New Revision: 420715

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=420715
Log:
general: Fix memory Corruption in __ast_string_field_ptr_build_va.

If the space left in a stringfield is between 0 and
(alignof(ast_string_field_allocation)-1) adding new data would cause
memory corruption, because we would assume enough space (unsigned
underrun).

Thanks Arnd Schmitter for reporting and finding out the cause!

ASTERISK-23508 #close
Reported by: Arnd Schmitter
Tested by: Arnd Schmitter, JoshE

Review: https://reviewboard.asterisk.org/r/3898/
........

Merged revisions 420680 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    branches/11/   (props changed)
    branches/11/main/utils.c

Propchange: branches/11/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Modified: branches/11/main/utils.c
URL: http://svnview.digium.com/svn/asterisk/branches/11/main/utils.c?view=diff&rev=420715&r1=420714&r2=420715
==============================================================================
--- branches/11/main/utils.c (original)
+++ branches/11/main/utils.c Mon Aug 11 05:36:38 2014
@@ -1960,6 +1960,7 @@
 	size_t needed;
 	size_t available;
 	size_t space = (*pool_head)->size - (*pool_head)->used;
+	int res;
 	ssize_t grow;
 	char *target;
 	va_list ap2;
@@ -1979,12 +1980,22 @@
 		 * so we don't need to re-align anything here.
 		 */
 		target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation);
-		available = space - ast_alignof(ast_string_field_allocation);
+		if (space > ast_alignof(ast_string_field_allocation)) {
+			available = space - ast_alignof(ast_string_field_allocation);
+		} else {
+			available = 0;
+		}
 	}
 
 	va_copy(ap2, ap);
-	needed = vsnprintf(target, available, format, ap2) + 1;
+	res = vsnprintf(target, available, format, ap2);
 	va_end(ap2);
+
+	if (res < 0) {
+		/* Are we out of memory? */
+		return;
+	}
+	needed = (size_t)res + 1; /* NUL byte */
 
 	if (needed > available) {
 		/* the allocation could not be satisfied using the field's current allocation
@@ -2004,7 +2015,8 @@
 		*/
 		__ast_string_field_release_active(*pool_head, *ptr);
 		mgr->last_alloc = *ptr = target;
-		AST_STRING_FIELD_ALLOCATION(target) = needed;
+	        ast_assert(needed < (ast_string_field_allocation)-1);
+		AST_STRING_FIELD_ALLOCATION(target) = (ast_string_field_allocation)needed;
 		(*pool_head)->used += ast_make_room_for(needed, ast_string_field_allocation);
 		(*pool_head)->active += needed;
 	} else if ((grow = (needed - AST_STRING_FIELD_ALLOCATION(*ptr))) > 0) {

More information about the svn-commits mailing list