Heiner Marxen created AXIS2C-1600:
-------------------------------------

             Summary: buffer overrun by patching NUL behind stream buffer
                 Key: AXIS2C-1600
                 URL: https://issues.apache.org/jira/browse/AXIS2C-1600
             Project: Axis2-C
          Issue Type: Bug
          Components: core/transport, util, xml/om
    Affects Versions: 1.6.0
            Reporter: Heiner Marxen


In functions axiom_data_source_serialize() and 
axis2_simple_http_svr_conn_write_respond() the buffer obtained via 
axutil_stream_get_buffer() and axutil_stream_get_len() is terminated with a NUL 
byte by patching behind the filled data. If the buffer is exactly full at that 
time, that NUL is patched into not allocated memory, which may currupt the 
malloc memory arena (corrupt the heap).

We have patched "stream.c" to always allocate one more byte than is necessary 
or used, so that always at least one more byte of memory is allocated. That 
made our crashes go away.

A more clean solution would be to have stream.c offer a function that 
guarantees that additional byte (eventually reallocating), which would be 
called prior to axutil_stream_get_buffer(), whenever such a NUL byte patching 
is required.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: c-dev-h...@axis.apache.org

Reply via email to