![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
#1007 closed defect (fixed)
Heap corruption when socket address with invalid address family is given (thanks Emil Sturniolo for the report)
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-1.5.5 |
| Component: | pjlib | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description
Consider the following function:
PJ_DEF(void) pj_sockaddr_cp(pj_sockaddr_t *dst, const pj_sockaddr_t *src)
{
pj_memcpy(dst, src, pj_sockaddr_get_len(src));
}
and looking at pj_sockaddr_get_len() implementation:
PJ_DEF(unsigned) pj_sockaddr_get_len(const pj_sockaddr_t *addr)
{
const pj_sockaddr *a = (const pj_sockaddr*) addr;
PJ_ASSERT_RETURN(a->addr.sa_family == PJ_AF_INET ||
a->addr.sa_family == PJ_AF_INET6, PJ_EAFNOTSUP);
return a->addr.sa_family == PJ_AF_INET6 ?
sizeof(pj_sockaddr_in6) : sizeof(pj_sockaddr_in);
}
The problem is when the address family contains unsupported value, PJ_EAFNOTSUP error will be returned, causing the caller to copy 70022 bytes of memory, corrupting the heap.
Change History (2)
comment:1 Changed 15 years ago by bennylp
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 15 years ago by ismangil
- Milestone changed from release-1.6 to release-1.5.5
Note: See
TracTickets for help on using
tickets.
Fixed in r3037