[Xorp-cvs] XORP cvs commit: xorp/libxipc

Bruce Simpson bms at icir.org
Mon May 5 03:47:06 PDT 2008 

CVSROOT:	/usr/local/www/data/cvs
Module name:	xorp
Changes by:	bms at chum.icir.org	2008-05-05 10:47:06 UTC

XORP CVS repository


Modified files:
	libxipc       xrl_pf_stcp.cc 

Log message:
	Fix use-after-free as a result of incorrect STL container usage.
	
	 1. STCPPacketHeader is a simple convenience wrapper. It is implemented in
	terms of a set of convenience pointers into a buffer which it does not
	own, and it performs no bounds checking; it assumes that the buffer
	passed to it is at least as large as its required size.
	
	 2. STCPPacketHeader::frame_bytes() is implemented in terms of
	dereferencing several of these convenience pointers.
	
	 3. In STCPRequestHandler::read_event(), STCPPacketHeader is constructed
	from a pointer into buffer owned by BufferedAsyncReader.
	
	 4. STCPPacketHeader::frame_bytes() is conceptually a candidate for becoming
	an inline method; however, it is defined within a separate translation unit,
	therefore it is NOT a candidate for inlining or related optimization. As a
	result, the pointer dereferences happen every time it is called.
	
	 5. BufferedAsyncReader::set_reserve_bytes() is a method which may cause
	its internal buffer, implemented as a std::vector, to be resized. Pointers
	to elements of a std::vector are NOT guaranteed to remain valid after
	the resize() method is called.
	
	As a direct result, when STCPRequestHandler::read_event() tries to resize
	its buffer [5] to accomodate a large (but expected) influx of data [4],
	several bad things happen:
	 * The pointers into the buffer are invalidated.
	 * Further state is set regarding this buffer using the invalid pointers.
	 * The next time BufferedAsyncReader's read callback fires, the tail and
	   head pointers are invalid, and the callback attempts to read into memory
	   which it doesn't own, causing heap corruption.
	
	Fix the use-after-free by caching the result of [4] before calling [5].
	
	Bugzilla URL:   http://bugzilla.xorp.org/bugzilla/show_bug.cgi?id=750

Revision  Changes                              Path
1.61      +5 -4;  commitid: 6423481ee58241a7;  xorp/libxipc/xrl_pf_stcp.cc

More information about the Xorp-cvs mailing list