[erlang-patches] Limit maximum line length in interactive shells

Stefan Zegenhagen <>
Thu Jun 20 10:23:53 CEST 2013


Dear Björn,

> Moving on to the problem that the patch addresses,
> the use case is not clear to us.
> 
> 
> If a user has access to an Erlang shell,
> 
> there are many other ways in which (s)he
> could bring down the system. Therefore, it is not
> clear that you would gain very much by fixing this
> particular issue.

Just to make myself absolutely clear: we are producing a device that has
a serial port for the user to access *OUR OWN* device specific CLI. We
are using the bits and pieces that erlang provides: namely group.erl as
the I/O server for the interactive shell.

The user *DOES HAVE TO LOGIN* to the device in order to access any
functionality. Our CLI implementation does naturally use the I/O server
group.erl to input username/password. How else would we do that?

It is possible for the user to crash the erlang system *WITHOUT LOGGING
ON* by just sending tons of data to the serial port without a newline in
between instead of a username or password. It works, just try it. A
bad-minded person can crash the system *WITHOUT BEING AUTHENTICATED*,
just by having physical access to the device.

The effect is running out of memory and dramatically slowing the system
down due to the amount of data that needs to be handed by group.erl (and
garbage collection, etc), which might cause other software failures even
before erlang finally crashes.

I would deem such an unauthenticated method to crash any erlang system
that uses group.erl for interactive shells *A SEVERE SECURITY ISSUE*.
You only need physical access to the device. But since there is a serial
management port, I would assume that you can guess that physical access
to the device is nothing that is excluded from the use cases of it.

> For these reasons, we reject the patch.

I think it is very sad that this patch is being rejected and I will free
to raise this issue as severe security "feature" on erlang-bugs again
until it is solved!

Please note that other erlang components, e.g. erlang SSH, are also
using group.erl as their I/O server for line-based input/output of user
data.


Regards,

-- 
Dr. Stefan Zegenhagen

arcutronix GmbH
Garbsener Landstr. 10
30419 Hannover
Germany

Tel:   +49 511 277-2734
Fax:   +49 511 277-2709
Email: 
Web:   www.arcutronix.com

*Synchronize the Ethernet*

General Managers: Dipl. Ing. Juergen Schroeder, Dr. Josef Gfrerer -
Legal Form: GmbH, Registered office: Hannover, HRB 202442, Amtsgericht
Hannover; Ust-Id: DE257551767.

Please consider the environment before printing this message.



More information about the erlang-patches mailing list