Author: wdoekes Date: Mon Aug 11 05:37:41 2014 New Revision: 420716 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=420716 Log: general: Fix memory Corruption in __ast_string_field_ptr_build_va.
If the space left in a stringfield is between 0 and (alignof(ast_string_field_allocation)-1) adding new data would cause memory corruption, because we would assume enough space (unsigned underrun). Thanks Arnd Schmitter for reporting and finding out the cause! ASTERISK-23508 #close Reported by: Arnd Schmitter Tested by: Arnd Schmitter, JoshE Review: https://reviewboard.asterisk.org/r/3898/ ........ Merged revisions 420680 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 420715 from http://svn.asterisk.org/svn/asterisk/branches/11 Modified: branches/12/ (props changed) branches/12/main/utils.c Propchange: branches/12/ ------------------------------------------------------------------------------ Binary property 'branch-11-merged' - no diff available. Modified: branches/12/main/utils.c URL: http://svnview.digium.com/svn/asterisk/branches/12/main/utils.c?view=diff&rev=420716&r1=420715&r2=420716 ============================================================================== --- branches/12/main/utils.c (original) +++ branches/12/main/utils.c Mon Aug 11 05:37:41 2014 @@ -1993,6 +1993,7 @@ size_t needed; size_t available; size_t space = (*pool_head)->size - (*pool_head)->used; + int res; ssize_t grow; char *target; va_list ap2; @@ -2012,12 +2013,22 @@ * so we don't need to re-align anything here. */ target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation); - available = space - ast_alignof(ast_string_field_allocation); + if (space > ast_alignof(ast_string_field_allocation)) { + available = space - ast_alignof(ast_string_field_allocation); + } else { + available = 0; + } } va_copy(ap2, ap); - needed = vsnprintf(target, available, format, ap2) + 1; + res = vsnprintf(target, available, format, ap2); va_end(ap2); + + if (res < 0) { + /* Are we out of memory? */ + return; + } + needed = (size_t)res + 1; /* NUL byte */ if (needed > available) { /* the allocation could not be satisfied using the field's current allocation @@ -2037,7 +2048,8 @@ */ __ast_string_field_release_active(*pool_head, *ptr); mgr->last_alloc = *ptr = target; - AST_STRING_FIELD_ALLOCATION(target) = needed; + ast_assert(needed < (ast_string_field_allocation)-1); + AST_STRING_FIELD_ALLOCATION(target) = (ast_string_field_allocation)needed; (*pool_head)->used += ast_make_room_for(needed, ast_string_field_allocation); (*pool_head)->active += needed; } else if ((grow = (needed - AST_STRING_FIELD_ALLOCATION(*ptr))) > 0) { -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
