[ https://issues.apache.org/jira/browse/TS-3353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299361#comment-14299361 ]
Brian Geffon edited comment on TS-3353 at 1/30/15 11:22 PM: ------------------------------------------------------------ You cannot do this: {{ats_scoped_str tmp(new char[viaHdrLength + 2]);}} as ats_scoped_str will call {{free()}} and not {{delete[]}}. If you know the length then you should use {{strncpy}} instead of {{strcpy(&tmp[0], str);}} was (Author: briang): You cannot do this: {{ats_scoped_str tmp(new char[viaHdrLength + 2]);}} as ats_scoped_str will call {{free()}} and not {{delete[]}}. If you're know the length then you should use {{strncpy}} instead of {{strcpy(&tmp[0], str);}} > traffic_via memory bug. > ----------------------- > > Key: TS-3353 > URL: https://issues.apache.org/jira/browse/TS-3353 > Project: Traffic Server > Issue Type: Bug > Reporter: Bin > Attachments: traffic_via_memory_overwrite_bug.diff > > > A memory overwriting bug was found in traffic_via which can potentially lead > to remote code execution. In function decodeViaHeader in file traffic_via.cc, > a call to strcat can potentially overwrite outside the bounds on the heap. > For example, if the via header string is "abcde", the strcat concatenates a > byte to the end and can corrupt the adjacent byte. -- This message was sent by Atlassian JIRA (v6.3.4#6332)