diff options
author | Sverker Eriksson <[email protected]> | 2010-02-18 14:59:46 +0000 |
---|---|---|
committer | Erlang/OTP <[email protected]> | 2010-02-18 14:59:46 +0000 |
commit | 3a44b99cc6f14a87242e2dddc57f191f853cfd90 (patch) | |
tree | acb6f863b54412f0b42f998711ba34e45216e665 | |
parent | e68da67280480bcd51e1a38372e5671a38082f82 (diff) | |
download | otp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.tar.gz otp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.tar.bz2 otp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.zip |
OTP-8451 Harmless buffer overflow by one byte in asn1 and ram_file_drv.
-rw-r--r-- | erts/emulator/beam/erl_binary.h | 20 | ||||
-rw-r--r-- | erts/emulator/drivers/common/ram_file_drv.c | 14 | ||||
-rw-r--r-- | lib/asn1/c_src/asn1_erl_driver.c | 16 | ||||
-rw-r--r-- | lib/kernel/test/ram_file_SUITE.erl | 37 |
4 files changed, 53 insertions, 34 deletions
diff --git a/erts/emulator/beam/erl_binary.h b/erts/emulator/beam/erl_binary.h index 21d4e3fdfd..1f948a9684 100644 --- a/erts/emulator/beam/erl_binary.h +++ b/erts/emulator/beam/erl_binary.h @@ -195,10 +195,20 @@ erts_free_aligned_binary_bytes(byte* buf) } } +/* Explicit extra bytes allocated to counter buggy drivers. +** These extra bytes where earlier (< R13B04) added by an alignment-bug +** in this code. Do we dare remove this in some major release (R14?) maybe? +*/ +#ifdef DEBUG +# define CHICKEN_PAD 0 +#else +# define CHICKEN_PAD (sizeof(void*) - 1) +#endif + ERTS_GLB_INLINE Binary * erts_bin_drv_alloc_fnf(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc_fnf(ERTS_ALC_T_DRV_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -208,7 +218,7 @@ erts_bin_drv_alloc_fnf(Uint size) ERTS_GLB_INLINE Binary * erts_bin_drv_alloc(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc(ERTS_ALC_T_DRV_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -219,7 +229,7 @@ erts_bin_drv_alloc(Uint size) ERTS_GLB_INLINE Binary * erts_bin_nrml_alloc(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc(ERTS_ALC_T_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -230,7 +240,7 @@ ERTS_GLB_INLINE Binary * erts_bin_realloc_fnf(Binary *bp, Uint size) { Binary *nbp; - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0); if (bp->flags & BIN_FLAG_DRV) nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize); @@ -244,7 +254,7 @@ ERTS_GLB_INLINE Binary * erts_bin_realloc(Binary *bp, Uint size) { Binary *nbp; - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0); if (bp->flags & BIN_FLAG_DRV) nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize); diff --git a/erts/emulator/drivers/common/ram_file_drv.c b/erts/emulator/drivers/common/ram_file_drv.c index 2e3aeb981e..4a39a156e6 100644 --- a/erts/emulator/drivers/common/ram_file_drv.c +++ b/erts/emulator/drivers/common/ram_file_drv.c @@ -1,19 +1,19 @@ /* * %CopyrightBegin% - * - * Copyright Ericsson AB 1997-2009. All Rights Reserved. - * + * + * Copyright Ericsson AB 1997-2010. All Rights Reserved. + * * The contents of this file are subject to the Erlang Public License, * Version 1.1, (the "License"); you may not use this file except in * compliance with the License. You should have received a copy of the * Erlang Public License along with this software. If not, it can be * retrieved online at http://www.erlang.org/. - * + * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See * the License for the specific language governing rights and limitations * under the License. - * + * * %CopyrightEnd% */ /* @@ -388,7 +388,7 @@ static int ram_file_uuencode(RamFile *f) { int code_len = UULINE(UNIX_LINE); int len = f->end; - int usize = (len*4+2)/3 + 2*(len/code_len+1) + 2 + 1; + int usize = 4*((len+2)/3) + 2*((len+code_len-1)/code_len) + 2; ErlDrvBinary* bin; uchar* inp; uchar* outp; @@ -433,7 +433,7 @@ static int ram_file_uuencode(RamFile *f) *outp++ = ' '; /* this end of file 0 length !!! */ *outp++ = '\n'; count += 2; - + ASSERT(count == usize); driver_free_binary(f->bin); ram_file_set(f, bin, usize, count); return numeric_reply(f, count); diff --git a/lib/asn1/c_src/asn1_erl_driver.c b/lib/asn1/c_src/asn1_erl_driver.c index cd2e63a363..fd284e5800 100644 --- a/lib/asn1/c_src/asn1_erl_driver.c +++ b/lib/asn1/c_src/asn1_erl_driver.c @@ -1,19 +1,19 @@ /* * %CopyrightBegin% - * - * Copyright Ericsson AB 2002-2009. All Rights Reserved. - * + * + * Copyright Ericsson AB 2002-2010. All Rights Reserved. + * * The contents of this file are subject to the Erlang Public License, * Version 1.1, (the "License"); you may not use this file except in * compliance with the License. You should have received a copy of the * Erlang Public License along with this software. If not, it can be * retrieved online at http://www.erlang.org/. - * + * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See * the License for the specific language governing rights and limitations * under the License. - * + * * %CopyrightEnd% * */ @@ -206,7 +206,11 @@ int asn1_drv_control(ErlDrvData handle, set_port_control_flags(a_data->port, PORT_CONTROL_FLAG_BINARY); if (command == ASN1_COMPLETE) - { /* Do the PER complete encode step */ + { + if (buf_len==0) { + return 0; /* Avoid binary buffer overwrite (OTP-8451) */ + } + /* Do the PER complete encode step */ if ((drv_binary = driver_alloc_binary(buf_len))==NULL) { /* error handling */ set_port_control_flags(a_data->port, 0); diff --git a/lib/kernel/test/ram_file_SUITE.erl b/lib/kernel/test/ram_file_SUITE.erl index 55c9497670..798a37d3dc 100644 --- a/lib/kernel/test/ram_file_SUITE.erl +++ b/lib/kernel/test/ram_file_SUITE.erl @@ -1,19 +1,19 @@ %% %% %CopyrightBegin% -%% -%% Copyright Ericsson AB 2001-2009. All Rights Reserved. -%% +%% +%% Copyright Ericsson AB 2001-2010. All Rights Reserved. +%% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in %% compliance with the License. You should have received a copy of the %% Erlang Public License along with this software. If not, it can be %% retrieved online at http://www.erlang.org/. -%% +%% %% Software distributed under the License is distributed on an "AS IS" %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See %% the License for the specific language governing rights and limitations %% under the License. -%% +%% %% %CopyrightEnd% %% @@ -472,20 +472,25 @@ uuencode(Config) when is_list(Config) -> %% %% Uuencode and decode test %% - ?line {ok, 0} = ?FILE_MODULE:position(FdReal, bof), - ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof), - ?line ok = ?FILE_MODULE:truncate(Fd), - ?line {ok, Sz} = ?FILE_MODULE:copy(FdReal, Fd), - ?line {ok, SzUu} = ?RAM_FILE_MODULE:uuencode(Fd), - ?line true = (Sz =< SzUu), - ?line {ok, Sz } = ?RAM_FILE_MODULE:uudecode(Fd), - ?line {ok, 0} = ?FILE_MODULE:position(FdReal, bof), - ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof), - ?line true = compare(FdReal, Fd), - %% + F = fun(Offs) -> + Size = Sz - Offs, + ?line {ok, Offs} = ?FILE_MODULE:position(FdReal, {bof,Offs}), + ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof), + ?line ok = ?FILE_MODULE:truncate(Fd), + ?line {ok, Size} = ?FILE_MODULE:copy(FdReal, Fd), + ?line {ok, SizeUu} = ?RAM_FILE_MODULE:uuencode(Fd), + ?line true = (Size =< SizeUu), + ?line {ok, Size} = ?RAM_FILE_MODULE:uudecode(Fd), + ?line {ok, Offs} = ?FILE_MODULE:position(FdReal, {bof,Offs}), + ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof), + ?line true = compare(FdReal, Fd) + end, + lists:foreach(F, lists:seq(0,Sz-1, 43)), + ?line ok = ?FILE_MODULE:close(FdReal), ?line ok = ?FILE_MODULE:close(Fd), ?line ok = ?FILE_MODULE:close(FdRealUu), + %% ok. |