Heiner Marxen created AXIS2C-1600:
-------------------------------------
Summary: buffer overrun by patching NUL behind stream buffer
Key: AXIS2C-1600
URL: https://issues.apache.org/jira/browse/AXIS2C-1600
Project: Axis2-C
Issue Type: Bug
Components: core/transport, util, xml/om
Affects Versions: 1.6.0
Reporter: Heiner Marxen
In functions axiom_data_source_serialize() and
axis2_simple_http_svr_conn_write_respond() the buffer obtained via
axutil_stream_get_buffer() and axutil_stream_get_len() is terminated with a NUL
byte by patching behind the filled data. If the buffer is exactly full at that
time, that NUL is patched into not allocated memory, which may currupt the
malloc memory arena (corrupt the heap).
We have patched "stream.c" to always allocate one more byte than is necessary
or used, so that always at least one more byte of memory is allocated. That
made our crashes go away.
A more clean solution would be to have stream.c offer a function that
guarantees that additional byte (eventually reallocating), which would be
called prior to axutil_stream_get_buffer(), whenever such a NUL byte patching
is required.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
