[
https://issues.apache.org/jira/browse/AXIS2C-1600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bill Blough resolved AXIS2C-1600.
---------------------------------
Resolution: Fixed
Add axutil_stream_set_buffer_end_null function to allow null-termination of
basic streams with automatic memory reallocation. Updated
axiom_data_source_serialize and axis2_simple_http_svr_conn_write_response to
use the new function. Fixed in 7de836303e80dcd2cdeb675be3bf66c2290776d2
> buffer overrun by patching NUL behind stream buffer
> ---------------------------------------------------
>
> Key: AXIS2C-1600
> URL: https://issues.apache.org/jira/browse/AXIS2C-1600
> Project: Axis2-C
> Issue Type: Bug
> Components: core/transport, util, xml/om
> Affects Versions: 1.6.0
> Reporter: Heiner Marxen
> Priority: Major
> Fix For: 1.7.0
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> In functions axiom_data_source_serialize() and
> axis2_simple_http_svr_conn_write_respond() the buffer obtained via
> axutil_stream_get_buffer() and axutil_stream_get_len() is terminated with a
> NUL byte by patching behind the filled data. If the buffer is exactly full at
> that time, that NUL is patched into not allocated memory, which may currupt
> the malloc memory arena (corrupt the heap).
> We have patched "stream.c" to always allocate one more byte than is necessary
> or used, so that always at least one more byte of memory is allocated. That
> made our crashes go away.
> A more clean solution would be to have stream.c offer a function that
> guarantees that additional byte (eventually reallocating), which would be
> called prior to axutil_stream_get_buffer(), whenever such a NUL byte patching
> is required.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: c-dev-h...@axis.apache.org
