Skip to content
Permalink
Browse files
Fix 1-byte buffer overwrites due to null-termination
Add axutil_stream_set_buffer_end_null function to allow memory
reallocation if needed when null-terminating a basic stream.

Fixes: AXIS2C-1600
  • Loading branch information
bblough committed Sep 4, 2020
1 parent 16cd2e1 commit 7de836303e80dcd2cdeb675be3bf66c2290776d2
Showing 5 changed files with 60 additions and 4 deletions.
@@ -108,16 +108,14 @@ axiom_data_source_serialize(
{
int status = AXIS2_SUCCESS;
axis2_char_t *data = NULL;
unsigned int data_len = 0;

AXIS2_ENV_CHECK(env, AXIS2_FAILURE);
AXIS2_PARAM_CHECK(env->error, om_output, AXIS2_FAILURE);

axutil_stream_set_buffer_end_null(data_source->stream, env);
data = axutil_stream_get_buffer(data_source->stream, env);
data_len = axutil_stream_get_len(data_source->stream, env);
if(data)
{
data[data_len] = '\0';
status = axiom_output_write(om_output, env, AXIOM_DATA_SOURCE, 1, data);
}
return status;
@@ -282,9 +282,9 @@ axis2_simple_http_svr_conn_write_response(
if(response_stream)
{
body_size = axutil_stream_get_len(response_stream, env);
axutil_stream_set_buffer_end_null(response_stream, env);
response_body = axutil_stream_get_buffer(response_stream, env);
axutil_stream_flush_buffer(response_stream, env);
response_body[body_size] = AXIS2_ESC_NULL;
}

if(body_size <= 0 && !binary_content)
@@ -32,6 +32,7 @@
#include <axis2_json_writer.h>
#include <axis2_json_reader.h>
#endif
#include <axis2_simple_http_svr_conn.h>

#include "../../../cutest/include/cut_http_server.h"

@@ -450,3 +451,23 @@ TEST_F(TestHTTPTransport, test_json)
}
#endif


TEST_F(TestHTTPTransport, test_AXIS2C_1600)
{
axis2_simple_http_svr_conn_t* conn = axis2_simple_http_svr_conn_create(
m_env, -1);

axis2_http_simple_response_t* resp = axis2_http_simple_response_create(
m_env, NULL, NULL, 0, NULL);
axis2_char_t body[AXIS2_STREAM_DEFAULT_BUF_SIZE+1];
memset(body, 'A', AXIS2_STREAM_DEFAULT_BUF_SIZE+1);
body[AXIS2_STREAM_DEFAULT_BUF_SIZE] = '\0';

axis2_http_simple_response_set_status_line(resp, m_env, "1.1", 200, "OK");
axis2_http_simple_response_set_body_string(resp, m_env, body);

axis2_simple_http_svr_conn_write_response(conn, m_env, resp);

axis2_http_simple_response_free(resp, m_env);
axis2_simple_http_svr_conn_free(conn, m_env);
}
@@ -283,6 +283,16 @@ extern "C"
const axutil_stream_t * stream,
const axutil_env_t * env);

/**
* Appends a null terminator to the buffer, allocating additional memory
* if necessary.
* @return Length of the buffer plus null terminator, or -1 on error
*/
AXIS2_EXTERN int AXIS2_CALL
axutil_stream_set_buffer_end_null(
axutil_stream_t *stream,
axutil_env_t *env);

AXIS2_EXTERN axis2_status_t AXIS2_CALL
axutil_stream_flush_buffer(
axutil_stream_t * stream,
@@ -377,6 +377,33 @@ axutil_stream_get_buffer(
return stream->buffer;
}

AXIS2_EXTERN int AXIS2_CALL
axutil_stream_set_buffer_end_null(
axutil_stream_t *stream,
axutil_env_t *env)
{
if (!stream || !env) return -1;

if (stream->len + 1 >= stream->max_len) {

axis2_char_t *tmp = (axis2_char_t *)AXIS2_MALLOC(env->allocator,
sizeof(axis2_char_t) * (stream->len + 1));
if(!tmp)
{
AXIS2_ERROR_SET(env->error, AXIS2_ERROR_NO_MEMORY, AXIS2_FAILURE);
return -1;
}
stream->max_len = stream->len + 1;
memcpy(tmp, stream->buffer_head, sizeof(axis2_char_t) * stream->len);
AXIS2_FREE(env->allocator, stream->buffer_head);
stream->buffer = tmp;
stream->buffer_head = tmp;
}
*(stream->buffer_head + stream->len) = '\0';
return stream->len + 1;

}

AXIS2_EXTERN axis2_status_t AXIS2_CALL
axutil_stream_flush_buffer(
axutil_stream_t *stream,

0 comments on commit 7de8363

Please sign in to comment.