[jira] [Resolved] (AXIS2C-1546) Logging of long input/output messages contains garbage data on Windows

Wed, 28 Jan 2026 17:55:06 -0800 


     [ 
https://issues.apache.org/jira/browse/AXIS2C-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Lazarski resolved AXIS2C-1546.
-------------------------------------
    Fix Version/s: 2.0.0
       Resolution: Fixed

    On Windows, _vsnprintf does not null-terminate the output buffer when
    the formatted string is truncated to fit. This causes garbage data to
    appear in log files when log messages exceed AXIS2_LEN_VALUE (4096 bytes).
    
    The fix explicitly null-terminates the buffer after each AXIS2_VSNPRINTF
    call. This is safe on all platforms: POSIX vsnprintf already 
null-terminates,
    so the extra assignment is harmless, and on Windows it fixes the bug.
    
    Note: This is a low-risk Windows-only fix that was not tested on Windows.
    The change is defensive and should not affect Linux/Unix builds.


> Logging of long input/output messages contains garbage data on Windows
> ----------------------------------------------------------------------
>
>                 Key: AXIS2C-1546
>                 URL: https://issues.apache.org/jira/browse/AXIS2C-1546
>             Project: Axis2-C
>          Issue Type: Bug
>          Components: util
>    Affects Versions: 1.5.0, 1.6.0
>         Environment: Windows
>            Reporter: Dan Polleys
>            Priority: Minor
>             Fix For: 2.0.0
>
>   Original Estimate: 5m
>  Remaining Estimate: 5m
>
> When logging of input/output messages are enabled and the length of the 
> message is greater than or equal to AXIS2_LEN_VALUE (currently 6,000), the 
> message contains trailing "garbage" data which gives the appearance of data 
> corruption. The garbage data attributed to the behavior of the sprintf family 
> of functions on Windows and specifically _vsnprintf. When the number of 
> characters to write is greater than or equal to the count argument (in this 
> case AXIS2_LEN_VALUE), the buffer is not null-terminated. Initializing the 
> buffer prior to the AXIS2_VSNPRINTF call in util/src/log.c will prevent this 
> situation from occurring.
> While this situation is currently only likely to occur with the "info" level 
> of log messages, this vulnerability exists in all levels.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to