[erlang-patches] [PATCH] erl_call: fix multiple buffer overflows
Daniel Néri
daniel.neri@REDACTED
Sun Aug 22 21:50:22 CEST 2010
Hello,
On Sun, Aug 22, 2010 at 00:40, Michael Santos <michael.santos@REDACTED> wrote:
>
> - strcpy(h_hostname, hp->h_name);
> + strncpy(h_hostname, hp->h_name, EI_MAXHOSTNAMELEN);
> memcpy(&h_ipadr.s_addr, *hp->h_addr_list, sizeof(struct in_addr));
> + if (strlen(h_alivename) + strlen(h_hostname) + 2 > sizeof(h_nodename)) {
> + fprintf(stderr,"erl_call: hostname too long: %s\n", h_hostname);
> + exit(1);
> + }
[cut]
> - strcpy(host_name, hp->h_name);
> + strncpy(host_name, hp->h_name, EI_MAXHOSTNAMELEN);
> + if (strlen(flags.node) + strlen(host_name) + 2 > sizeof(nodename)) {
> + fprintf(stderr,"erl_call: nodename too long: %s\n", flags.node);
> + exit(1);
> + }
Beware that strncpy (being broken by design) leaves off the
terminating '\0' when the destination buffer isn't large enough, so
you need to make sure that 'h_hostname' and 'host_name' are properly
null-terminated here. Or see [*] for a better solution.
Regards,
Daniel
[*] http://en.wikipedia.org/wiki/Strlcpy
More information about the erlang-patches
mailing list