[
https://issues.apache.org/jira/browse/TS-3353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299361#comment-14299361
]
Brian Geffon edited comment on TS-3353 at 1/30/15 11:22 PM:
------------------------------------------------------------
You cannot do this: {{ats_scoped_str tmp(new char[viaHdrLength + 2]);}} as
ats_scoped_str will call {{free()}} and not {{delete[]}}.
If you know the length then you should use {{strncpy}} instead of
{{strcpy(&tmp[0], str);}}
was (Author: briang):
You cannot do this: {{ats_scoped_str tmp(new char[viaHdrLength + 2]);}} as
ats_scoped_str will call {{free()}} and not {{delete[]}}.
If you're know the length then you should use {{strncpy}} instead of
{{strcpy(&tmp[0], str);}}
> traffic_via memory bug.
> -----------------------
>
> Key: TS-3353
> URL: https://issues.apache.org/jira/browse/TS-3353
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Bin
> Attachments: traffic_via_memory_overwrite_bug.diff
>
>
> A memory overwriting bug was found in traffic_via which can potentially lead
> to remote code execution. In function decodeViaHeader in file traffic_via.cc,
> a call to strcat can potentially overwrite outside the bounds on the heap.
> For example, if the via header string is "abcde", the strcat concatenates a
> byte to the end and can corrupt the adjacent byte.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
