[PATCH 2/2] erl_interface: fix buffer overflows

Michael Santos <>
Mon Jan 24 00:16:36 CET 2011


---
 lib/erl_interface/src/legacy/erl_connect.c |    7 +++----
 lib/erl_interface/src/legacy/erl_format.c  |    2 +-
 lib/erl_interface/src/legacy/erl_marshal.c |    4 ++--
 lib/erl_interface/src/legacy/erl_timeout.c |    2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/lib/erl_interface/src/legacy/erl_connect.c b/lib/erl_interface/src/legacy/erl_connect.c
index 3c8c946..e77bd5d 100644
--- a/lib/erl_interface/src/legacy/erl_connect.c
+++ b/lib/erl_interface/src/legacy/erl_connect.c
@@ -180,9 +180,7 @@ int erl_xconnect(Erl_IpAddr addr, char *alivename)
  *
  *  Close a connection. FIXME call ei_close_connection() later. 
  *
- *  Returns valid file descriptor on success and < 0 on failure.
- *  Set erl_errno to EHOSTUNREACH, ENOMEM, EIO or errno from socket(2)
- *  or connect(2).
+ *  Returns 0 on success and -1 on failure.
  *
  ***************************************************************************/
 
@@ -250,7 +248,8 @@ int erl_send(int fd, ETERM *to ,ETERM *msg)
 	return -1;
     }
     
-    strcpy(topid.node, (char *)ERL_PID_NODE(to));
+    strncpy(topid.node, (char *)ERL_PID_NODE(to), sizeof(topid.node));
+    topid.node[sizeof(topid.node)-1] = '\0';
     topid.num = ERL_PID_NUMBER(to);
     topid.serial = ERL_PID_SERIAL(to);
     topid.creation = ERL_PID_CREATION(to);
diff --git a/lib/erl_interface/src/legacy/erl_format.c b/lib/erl_interface/src/legacy/erl_format.c
index 9848e92..b172692 100644
--- a/lib/erl_interface/src/legacy/erl_format.c
+++ b/lib/erl_interface/src/legacy/erl_format.c
@@ -116,7 +116,7 @@ static lvar *lvar_alloc(void)
   lvar *tmp;
   
   if ((tmp = ef.idle) == NULL) {
-    tmp = (lvar *) malloc(sizeof(lvar)); /* FIXME check result */
+    tmp = (lvar *) erl_malloc(sizeof(lvar));
   }
   else {
     tmp = ef.idle;
diff --git a/lib/erl_interface/src/legacy/erl_marshal.c b/lib/erl_interface/src/legacy/erl_marshal.c
index 70949a7..5cfb5e2 100644
--- a/lib/erl_interface/src/legacy/erl_marshal.c
+++ b/lib/erl_interface/src/legacy/erl_marshal.c
@@ -662,7 +662,7 @@ len = i
 #define STATIC_NODE_BUF_SZ 30
 
 #define SET_NODE(node,node_buf,cp,len) \
-if (len >= STATIC_NODE_BUF_SZ) node = malloc(len+1); \
+if (len >= STATIC_NODE_BUF_SZ) node = erl_malloc(len+1); \
 else node = node_buf; \
 memcpy(node, cp, len); \
 node[len] = '\0'
@@ -1534,7 +1534,7 @@ static int cmp_string_list(unsigned char **e1, unsigned char **e2) {
   if ( e1_len < 256 ) {
     bp = buf;
   } else {
-    bp = malloc(5+(2*e1_len)+1);
+    bp = erl_malloc(5+(2*e1_len)+1);
   }
 
   bp[0] = ERL_LIST_EXT;
diff --git a/lib/erl_interface/src/legacy/erl_timeout.c b/lib/erl_interface/src/legacy/erl_timeout.c
index af1a4a1..6ef5d25 100644
--- a/lib/erl_interface/src/legacy/erl_timeout.c
+++ b/lib/erl_interface/src/legacy/erl_timeout.c
@@ -74,7 +74,7 @@ jmp_buf *timeout_setup(int ms)
   t.it_value.tv_usec = (ms % 1000) * 1000;
 
   /* get a jump buffer and save it */
-  j = malloc(sizeof(*j));	/* FIXME check result */
+  j = erl_malloc(sizeof(*j));
   j->siginfo = s;
   push(j);
 
-- 
1.7.0.4



More information about the erlang-patches mailing list