[Xorp-cvs] XORP cvs commit: xorp/libxipc
Bruce Simpson
bms at icir.org
Mon May 5 03:47:06 PDT 2008
CVSROOT: /usr/local/www/data/cvs
Module name: xorp
Changes by: bms at chum.icir.org 2008-05-05 10:47:06 UTC
XORP CVS repository
Modified files:
libxipc xrl_pf_stcp.cc
Log message:
Fix use-after-free as a result of incorrect STL container usage.
1. STCPPacketHeader is a simple convenience wrapper. It is implemented in
terms of a set of convenience pointers into a buffer which it does not
own, and it performs no bounds checking; it assumes that the buffer
passed to it is at least as large as its required size.
2. STCPPacketHeader::frame_bytes() is implemented in terms of
dereferencing several of these convenience pointers.
3. In STCPRequestHandler::read_event(), STCPPacketHeader is constructed
from a pointer into buffer owned by BufferedAsyncReader.
4. STCPPacketHeader::frame_bytes() is conceptually a candidate for becoming
an inline method; however, it is defined within a separate translation unit,
therefore it is NOT a candidate for inlining or related optimization. As a
result, the pointer dereferences happen every time it is called.
5. BufferedAsyncReader::set_reserve_bytes() is a method which may cause
its internal buffer, implemented as a std::vector, to be resized. Pointers
to elements of a std::vector are NOT guaranteed to remain valid after
the resize() method is called.
As a direct result, when STCPRequestHandler::read_event() tries to resize
its buffer [5] to accomodate a large (but expected) influx of data [4],
several bad things happen:
* The pointers into the buffer are invalidated.
* Further state is set regarding this buffer using the invalid pointers.
* The next time BufferedAsyncReader's read callback fires, the tail and
head pointers are invalid, and the callback attempts to read into memory
which it doesn't own, causing heap corruption.
Fix the use-after-free by caching the result of [4] before calling [5].
Bugzilla URL: http://bugzilla.xorp.org/bugzilla/show_bug.cgi?id=750
Revision Changes Path
1.61 +5 -4; commitid: 6423481ee58241a7; xorp/libxipc/xrl_pf_stcp.cc
More information about the Xorp-cvs
mailing list