[PATCH] ei: prevent overflow in ei_connect_init/ei_xconnect

Michael Santos <>
Sun Aug 22 04:15:01 CEST 2010


Check the length of the buffer before copying.

ei_cnode ec;
struct in_addr addr;
char *node = (char *)calloc(5001, 1);
(void)memset(node, 'x', 5000);

ei_connect_init(&ec, node, "", 0);

addr.s_addr = inet_addr("192.168.1.1");
ei_xconnect(&ec, &addr, node);
---
 lib/erl_interface/src/connect/ei_connect.c |    8 ++++++--
 lib/erl_interface/src/epmd/epmd_port.c     |   12 ++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/lib/erl_interface/src/connect/ei_connect.c b/lib/erl_interface/src/connect/ei_connect.c
index b1b79aa..e191f3f 100644
--- a/lib/erl_interface/src/connect/ei_connect.c
+++ b/lib/erl_interface/src/connect/ei_connect.c
@@ -502,10 +502,14 @@ int ei_connect_init(ei_cnode* ec, const char* this_node_name,
 	return ERL_ERROR;
     }
 
-    if (this_node_name == NULL)
+    if (this_node_name == NULL) {
 	sprintf(thisalivename, "c%d", (int) getpid());
-    else
+    } else if (strlen(this_node_name) >= sizeof(thisalivename)) {
+	EI_TRACE_ERR0("ei_connect_init","ERROR: this_node_name too long");
+	return ERL_ERROR;
+    } else {
 	strcpy(thisalivename, this_node_name);
+    }
     
     if ((hp = ei_gethostbyname(thishostname)) == 0) {
 	/* Looking up IP given hostname fails. We must be on a standalone
diff --git a/lib/erl_interface/src/epmd/epmd_port.c b/lib/erl_interface/src/epmd/epmd_port.c
index 663b38d..cf6122f 100644
--- a/lib/erl_interface/src/epmd/epmd_port.c
+++ b/lib/erl_interface/src/epmd/epmd_port.c
@@ -106,6 +106,12 @@ static int ei_epmd_r3_port (struct in_addr *addr, const char *alive,
   char ntoabuf[32];
 #endif
   
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
+
   put16be(s,len);
   put8(s,EI_EPMD_PORT_REQ);
   strcpy(s,alive);
@@ -164,6 +170,12 @@ static int ei_epmd_r4_port (struct in_addr *addr, const char *alive,
 #if defined(VXWORKS)
   char ntoabuf[32];
 #endif
+
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
   
   put16be(s,len);
   put8(s,EI_EPMD_PORT2_REQ);
-- 
1.7.0.4



More information about the erlang-patches mailing list