Bug #621
Corrupt stack in bus.c
Description
https://github.com/strongswan/strongswan/blob/master/src/libcharon/bus/bus.c#L394
----
va_copy(data.args, args);
len = vsnprintf(data.message, sizeof(buf), format, data.args);
va_end(data.args);
if (len >= sizeof(buf))
{
len++;
data.message = malloc(len);
len = vsnprintf(data.message, len, format, args);
}
-----
The second vsnprintf() is missing a va_copy before and a va_end after (like in the first vsnprintf). This causes the args structure to become invalid after the call to vsnprintf().
This invalid va_arg structure is potentially used (causing a SEGV) later in line 414/415.
Also it is possible that a double va_end is called on the same va_arg, which may or may not have an effect.
History
#1 Updated by Martin Willi about 11 years ago
- Tracker changed from Issue to Bug
- Category set to libcharon
- Status changed from New to Closed
- Assignee set to Martin Willi
- Priority changed from Normal to High
- Target version set to 5.2.0
- Resolution set to Fixed
Hi Noam,
Thanks for your bug report.
The second vsnprintf() is missing a va_copy before and a va_end after
Yes, this is absolutely correct. I've addressed the issue with the referenced commit.
Depending on the platforms va_* functions probably not that much of an issue, unless you both have ->log and ->vlog listeners (which we don't ship in our release).
Best regards
Martin