Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#1007 closed defect (fixed)

Heap corruption when socket address with invalid address family is given (thanks Emil Sturniolo for the report)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-1.5.5
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description

Consider the following function:

PJ_DEF(void) pj_sockaddr_cp(pj_sockaddr_t *dst, const pj_sockaddr_t *src)
{
   pj_memcpy(dst, src, pj_sockaddr_get_len(src));
}

and looking at pj_sockaddr_get_len() implementation:

PJ_DEF(unsigned) pj_sockaddr_get_len(const pj_sockaddr_t *addr)
{
    const pj_sockaddr *a = (const pj_sockaddr*) addr;
    PJ_ASSERT_RETURN(a->addr.sa_family == PJ_AF_INET ||
		     a->addr.sa_family == PJ_AF_INET6, PJ_EAFNOTSUP);
    return a->addr.sa_family == PJ_AF_INET6 ?
	    sizeof(pj_sockaddr_in6) : sizeof(pj_sockaddr_in);
}

The problem is when the address family contains unsupported value, PJ_EAFNOTSUP error will be returned, causing the caller to copy 70022 bytes of memory, corrupting the heap.

Change History (2)

comment:1 Changed 10 years ago by bennylp

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r3037

comment:2 Changed 10 years ago by ismangil

  • Milestone changed from release-1.6 to release-1.5.5
Note: See TracTickets for help on using tickets.