[jira] Commented: (AXIS2C-925) seg fault in axiom_soap_fault_get_text if SOAP 1.1

[Bill Mitchell (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AXIS2C-925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564151#action_12564151
 ] 

Bill Mitchell commented on AXIS2C-925:
--------------------------------------

I updated to newer sources, retested, recreated the SOAP 1.1 fault situation 
and verified that it is handled correctly.  Thanks, Dinesh.

> seg fault in axiom_soap_fault_get_text if SOAP 1.1
> --------------------------------------------------
>
>                 Key: AXIS2C-925
>                 URL: https://issues.apache.org/jira/browse/AXIS2C-925
>             Project: Axis2-C
>          Issue Type: Bug
>          Components: xml/soap
>    Affects Versions: Current (Nightly)
>         Environment: Windows XP, Visual Studio 2005, libxml2, libcurl
>            Reporter: Bill Mitchell
>            Assignee: Dinesh Premalal
>             Fix For: 1.2.1
>
>         Attachments: soapfault.diff
>
>
> If a SOAP 1.1 server returns a SOAP fault, a seg fault can happen if the 
> client calls axiom_soap_fault_get_text.  At the time of the crash, using the 
> debugger the om_ele_node in the fault_value points to memory that has been 
> reused, probably as a result of being released.  When axiom_element_get_text 
> is called, the data_element it is passed appears to be overwritten or reused, 
> so axiom_element_get_text sees om_element->text_value as nonzero, tries to 
> free it, and the C runtime diagnoses a memory management error on the free.  
> Stepping through with the debugger, the crux of the problem lies in 
> soap_body.c, where axiom_soap_body_convert_fault_to_soap11 detaches the 
> fault_value_node, converts its contents to text, issues the free_tree to free 
> the node and its children, but leaves the pointer as the 
> axiom_soap_fault_value_base_node.  So the later call to 
> axiom_soap_fault_get_text believes there is still a node tree structure 
> present. The same oversight occurs when processing the fault_reason.  The 
> axiom_soap_fault_text_base_node is detached, converted to a single text 
> string, the node tree is freed, but the pointer is left as the 
> axiom_soap_fault_base_node.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]