diff options
author | Walter Doekes <walter+asterisk@wjd.nu> | 2014-08-11 10:40:10 +0000 |
---|---|---|
committer | Walter Doekes <walter+asterisk@wjd.nu> | 2014-08-11 10:40:10 +0000 |
commit | b94fc0696663d0b3773965fefb0e12f56542a83c (patch) | |
tree | d46dc9f525b1442db85fb13338fc98cedb6ab117 /main/utils.c | |
parent | 4e07345c2854068e4099a456c4b976ad9e381945 (diff) |
general: Fix memory Corruption in __ast_string_field_ptr_build_va.
If the space left in a stringfield is between 0 and
(alignof(ast_string_field_allocation)-1) adding new data would cause
memory corruption, because we would assume enough space (unsigned
underrun).
Thanks Arnd Schmitter for reporting and finding out the cause!
ASTERISK-23508 #close
Reported by: Arnd Schmitter
Tested by: Arnd Schmitter, JoshE
Review: https://reviewboard.asterisk.org/r/3898/
........
Merged revisions 420680 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 420715 from http://svn.asterisk.org/svn/asterisk/branches/11
........
Merged revisions 420716 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/13@420717 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'main/utils.c')
-rw-r--r-- | main/utils.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/main/utils.c b/main/utils.c index a916e79c8..ba646c44b 100644 --- a/main/utils.c +++ b/main/utils.c @@ -2001,6 +2001,7 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr, size_t needed; size_t available; size_t space = (*pool_head)->size - (*pool_head)->used; + int res; ssize_t grow; char *target; va_list ap2; @@ -2020,13 +2021,23 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr, * so we don't need to re-align anything here. */ target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation); - available = space - ast_alignof(ast_string_field_allocation); + if (space > ast_alignof(ast_string_field_allocation)) { + available = space - ast_alignof(ast_string_field_allocation); + } else { + available = 0; + } } va_copy(ap2, ap); - needed = vsnprintf(target, available, format, ap2) + 1; + res = vsnprintf(target, available, format, ap2); va_end(ap2); + if (res < 0) { + /* Are we out of memory? */ + return; + } + needed = (size_t)res + 1; /* NUL byte */ + if (needed > available) { /* the allocation could not be satisfied using the field's current allocation (if it has one), or the space available in the pool (if it does not). allocate @@ -2045,7 +2056,8 @@ void __ast_string_field_ptr_build_va(struct ast_string_field_mgr *mgr, */ __ast_string_field_release_active(*pool_head, *ptr); mgr->last_alloc = *ptr = target; - AST_STRING_FIELD_ALLOCATION(target) = needed; + ast_assert(needed < (ast_string_field_allocation)-1); + AST_STRING_FIELD_ALLOCATION(target) = (ast_string_field_allocation)needed; (*pool_head)->used += ast_make_room_for(needed, ast_string_field_allocation); (*pool_head)->active += needed; } else if ((grow = (needed - AST_STRING_FIELD_ALLOCATION(*ptr))) > 0) { |