Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

general: Fix memory Corruption in __ast_string_field_ptr_build_va.

Browse Source 
If the space left in a stringfield is between 0 and
(alignof(ast_string_field_allocation)-1) adding new data would cause
memory corruption, because we would assume enough space (unsigned
underrun).

Thanks Arnd Schmitter for reporting and finding out the cause!

ASTERISK-23508 #close
Reported by: Arnd Schmitter
Tested by: Arnd Schmitter, JoshE

Review: https://reviewboard.asterisk.org/r/3898/


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@420680 65c4cc65-6c06-0410-ace0-fbb531ad65f3
changes/76/76/1
Walter Doekes 11 years ago
parent edca0bd412
commit 6d6c119777
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File

17
main/utils.c
Unescape View File

@ -1913,6 +1913,7 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr,
size_t needed;
size_t available;
size_t space = (*pool_head)->size - (*pool_head)->used;
int res;
ssize_t grow;
char *target;
@ -1931,10 +1932,19 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr,
* so we don't need to re-align anything here.
*/
target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation);
available = space - ast_alignof(ast_string_field_allocation);
if (space > ast_alignof(ast_string_field_allocation)) {
available = space - ast_alignof(ast_string_field_allocation);
} else {
available = 0;
}
}
needed = vsnprintf(target, available, format, ap1) + 1;
res = vsnprintf(target, available, format, ap1);
if (res < 0) {
/* Are we out of memory? */
return;
}
needed = (size_t)res + 1; /* NUL byte */
if (needed > available) {
/* the allocation could not be satisfied using the field's current allocation
@ -1953,7 +1963,8 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr,
*/
__ast_string_field_release_active(*pool_head, *ptr);
mgr->last_alloc = *ptr = target;
AST_STRING_FIELD_ALLOCATION(target) = needed;
ast_assert(needed < (ast_string_field_allocation)-1);
AST_STRING_FIELD_ALLOCATION(target) = (ast_string_field_allocation)needed;
(*pool_head)->used += ast_make_room_for(needed, ast_string_field_allocation);
(*pool_head)->active += needed;
} else if ((grow = (needed - AST_STRING_FIELD_ALLOCATION(*ptr))) > 0) {

Write Preview
Loading…
Cancel
Save