[erlang-patches] [PATCH] erl_call: fix multiple buffer overflows

Daniel Néri <>
Sun Aug 22 21:50:22 CEST 2010


   Hello,

On Sun, Aug 22, 2010 at 00:40, Michael Santos <> wrote:
>
> -      strcpy(h_hostname, hp->h_name);
> +      strncpy(h_hostname, hp->h_name, EI_MAXHOSTNAMELEN);
>        memcpy(&h_ipadr.s_addr, *hp->h_addr_list, sizeof(struct in_addr));
> +      if (strlen(h_alivename) + strlen(h_hostname) + 2 > sizeof(h_nodename)) {
> +         fprintf(stderr,"erl_call: hostname too long: %s\n", h_hostname);
> +         exit(1);
> +      }

[cut]

> -    strcpy(host_name, hp->h_name);
> +    strncpy(host_name, hp->h_name, EI_MAXHOSTNAMELEN);
> +    if (strlen(flags.node) + strlen(host_name) + 2 > sizeof(nodename)) {
> +       fprintf(stderr,"erl_call: nodename too long: %s\n", flags.node);
> +       exit(1);
> +    }


Beware that strncpy (being broken by design) leaves off the
terminating '\0' when the destination buffer isn't large enough, so
you need to make sure that 'h_hostname' and 'host_name' are properly
null-terminated here. Or see [*] for a better solution.


Regards,
Daniel

[*] http://en.wikipedia.org/wiki/Strlcpy


More information about the erlang-patches mailing list