[erlang-questions] Securing remote spawning

Matthias Lang matthias@REDACTED
Wed Apr 23 22:28:33 CEST 2008


Sean Hinde writes:

 > It is very easy to roll your own RPC:
 > 
 > call(Sock, M,F,A) ->
 >      gen_tcp:send(Sock, erlang:term_to_binary(M,F,A)).
 > 
 > Then at the other end:
 > 
 > receive
 >      {tcp, Sock, Data} ->
 >          case erlang:term_to_binary(Data) of
 >              {M, F, A} when is_list(A) ->
 > 	         case lists:member({M,F,length(A)}, Allowed_funcs) of
 >                      true ->
 >                          apply(M,F,A);
 >                      false ->
 >                           ignore
 >                   end;
 >              _ -> ignore
 >         end
 > 
 > etc

This example illustrates the general idea, and you can (and should!)
robustify it in practice if you want to deal with potentially
malicious clients.

A starting point would be to eliminate binary_to_term/1 (which is what
Sean meant to write in the 'receive' above, where he wrote
'term_to_binary'). binary_to_term/1 is too general and too
powerful. Not only can a client launch a DOS attack using it (by
overflowing the atom table), but there have been quite a few examples
of how to crash the emulator with it:

  http://www.erlang.org/pipermail/erlang-questions/2001-June/003332.html
  http://www.erlang.org/pipermail/erlang-questions/2006-February/018901.html
  http://www.erlang.org/pipermail/erlang-bugs/2008-February/000634.html

Matt



More information about the erlang-questions mailing list