You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@axis.apache.org by "Heiner Marxen (JIRA)" <ji...@apache.org> on 2012/06/21 17:48:43 UTC
[jira] [Created] (AXIS2C-1600) buffer overrun by patching NUL
behind stream buffer
Heiner Marxen created AXIS2C-1600:
-------------------------------------
Summary: buffer overrun by patching NUL behind stream buffer
Key: AXIS2C-1600
URL: https://issues.apache.org/jira/browse/AXIS2C-1600
Project: Axis2-C
Issue Type: Bug
Components: core/transport, util, xml/om
Affects Versions: 1.6.0
Reporter: Heiner Marxen
In functions axiom_data_source_serialize() and axis2_simple_http_svr_conn_write_respond() the buffer obtained via axutil_stream_get_buffer() and axutil_stream_get_len() is terminated with a NUL byte by patching behind the filled data. If the buffer is exactly full at that time, that NUL is patched into not allocated memory, which may currupt the malloc memory arena (corrupt the heap).
We have patched "stream.c" to always allocate one more byte than is necessary or used, so that always at least one more byte of memory is allocated. That made our crashes go away.
A more clean solution would be to have stream.c offer a function that guarantees that additional byte (eventually reallocating), which would be called prior to axutil_stream_get_buffer(), whenever such a NUL byte patching is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org