Juniper Openstack

XmppMessageBuikder::GetData() Fix potential data corruption

Bug #1759744 reported by Ananth Suryanarayana on 2018-03-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	High	Ananth Suryanarayana	Juniper Openstack r5.0.0

Bug Description

In XmppMessageBuilder::GetData() don't return temporary stack variable address

    In XmppMessageBuilder::GetData(), address of a string allocated in stack as
    a temporary variable was returned to the caller in some case. This can cause
    memory corruption because the the temporary string will get destroyed right
    after it goes out of scope, in this case when we return to the caller from
    GetData().

diff --git a/src/bgp/xmpp_message_builder.cc b/src/bgp/xmpp_message_builder.cc
index 4258edc..9402dae 100644
--- a/src/bgp/xmpp_message_builder.cc
+++ b/src/bgp/xmpp_message_builder.cc
@@ -516,7 +516,7 @@ bool BgpXmppMessage::AddMvpnRoute(const BgpRoute *route,
}

const uint8_t *BgpXmppMessage::GetData(IPeerUpdate *peer, size_t *lenp,
- const string **msg_str) {
+ const string **msg_str, string *temp) {
     // Build begin line that contains message opening tag with from and to
     // attributes.
     msg_begin_.clear();
@@ -551,10 +551,10 @@ const uint8_t *BgpXmppMessage::GetData(IPeerUpdate *peer, size_t *lenp,
         *msg_str = &repr_;
         return reinterpret_cast<const uint8_t *>(repr_.c_str()) + extra;
     } else {
- string temp = msg_begin_ + string(repr_, kMaxFromToLength);
- *lenp = temp.size();
+ *temp = msg_begin_ + string(repr_, kMaxFromToLength);
+ *lenp = temp->size();
         *msg_str = NULL;
- return reinterpret_cast<const uint8_t *>(temp.c_str());
+ return reinterpret_cast<const uint8_t *>(temp->c_str());
     }
}

Tags:

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-29: [Review update] master

Review in progress for https://review.opencontrail.org/41171
Submitter: Ananth Suryanarayana (<email address hidden>)

Ananth Suryanarayana (anantha-l) on 2018-03-29

Changed in juniperopenstack:
status:	New → In Progress

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-31: A change has been merged

Reviewed: https://review.opencontrail.org/41171
Committed: http://github.com/Juniper/contrail-controller/commit/c9e40b1c9076a4eccd8280aed1b814ca65b1f805
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit c9e40b1c9076a4eccd8280aed1b814ca65b1f805
Author: Ananth Suryanarayana <email address hidden>
Date: Wed Mar 28 02:31:30 2018 -0700

In XmppMessageBuilder::GetData() don't return temporary stack variable address

In XmppMessageBuilder::GetData(), address of a string allocated in stack as
a temporary variable was returned to the caller in some case. This can cause
memory corruption because the the temporary string will get destroyed right
after it goes out of scope, in this case when we return to the caller from
GetData().

Fixed by ensuring that caller of GetData() provides the necessary temporary
storage space for the "temp" std::string

Change-Id: I27e622a34b72717cad90dc9553936182c2a77c6a
Closes-Bug: 1759744

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.