aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSverker Eriksson <[email protected]>2010-02-18 14:59:46 +0000
committerErlang/OTP <[email protected]>2010-02-18 14:59:46 +0000
commit3a44b99cc6f14a87242e2dddc57f191f853cfd90 (patch)
treeacb6f863b54412f0b42f998711ba34e45216e665
parente68da67280480bcd51e1a38372e5671a38082f82 (diff)
downloadotp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.tar.gz
otp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.tar.bz2
otp-3a44b99cc6f14a87242e2dddc57f191f853cfd90.zip
OTP-8451 Harmless buffer overflow by one byte in asn1 and ram_file_drv.
-rw-r--r--erts/emulator/beam/erl_binary.h20
-rw-r--r--erts/emulator/drivers/common/ram_file_drv.c14
-rw-r--r--lib/asn1/c_src/asn1_erl_driver.c16
-rw-r--r--lib/kernel/test/ram_file_SUITE.erl37
4 files changed, 53 insertions, 34 deletions
diff --git a/erts/emulator/beam/erl_binary.h b/erts/emulator/beam/erl_binary.h
index 21d4e3fdfd..1f948a9684 100644
--- a/erts/emulator/beam/erl_binary.h
+++ b/erts/emulator/beam/erl_binary.h
@@ -195,10 +195,20 @@ erts_free_aligned_binary_bytes(byte* buf)
}
}
+/* Explicit extra bytes allocated to counter buggy drivers.
+** These extra bytes where earlier (< R13B04) added by an alignment-bug
+** in this code. Do we dare remove this in some major release (R14?) maybe?
+*/
+#ifdef DEBUG
+# define CHICKEN_PAD 0
+#else
+# define CHICKEN_PAD (sizeof(void*) - 1)
+#endif
+
ERTS_GLB_INLINE Binary *
erts_bin_drv_alloc_fnf(Uint size)
{
- Uint bsize = ERTS_SIZEOF_Binary(size);
+ Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
void *res;
res = erts_alloc_fnf(ERTS_ALC_T_DRV_BINARY, bsize);
ERTS_CHK_BIN_ALIGNMENT(res);
@@ -208,7 +218,7 @@ erts_bin_drv_alloc_fnf(Uint size)
ERTS_GLB_INLINE Binary *
erts_bin_drv_alloc(Uint size)
{
- Uint bsize = ERTS_SIZEOF_Binary(size);
+ Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
void *res;
res = erts_alloc(ERTS_ALC_T_DRV_BINARY, bsize);
ERTS_CHK_BIN_ALIGNMENT(res);
@@ -219,7 +229,7 @@ erts_bin_drv_alloc(Uint size)
ERTS_GLB_INLINE Binary *
erts_bin_nrml_alloc(Uint size)
{
- Uint bsize = ERTS_SIZEOF_Binary(size);
+ Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
void *res;
res = erts_alloc(ERTS_ALC_T_BINARY, bsize);
ERTS_CHK_BIN_ALIGNMENT(res);
@@ -230,7 +240,7 @@ ERTS_GLB_INLINE Binary *
erts_bin_realloc_fnf(Binary *bp, Uint size)
{
Binary *nbp;
- Uint bsize = ERTS_SIZEOF_Binary(size);
+ Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0);
if (bp->flags & BIN_FLAG_DRV)
nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize);
@@ -244,7 +254,7 @@ ERTS_GLB_INLINE Binary *
erts_bin_realloc(Binary *bp, Uint size)
{
Binary *nbp;
- Uint bsize = ERTS_SIZEOF_Binary(size);
+ Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0);
if (bp->flags & BIN_FLAG_DRV)
nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize);
diff --git a/erts/emulator/drivers/common/ram_file_drv.c b/erts/emulator/drivers/common/ram_file_drv.c
index 2e3aeb981e..4a39a156e6 100644
--- a/erts/emulator/drivers/common/ram_file_drv.c
+++ b/erts/emulator/drivers/common/ram_file_drv.c
@@ -1,19 +1,19 @@
/*
* %CopyrightBegin%
- *
- * Copyright Ericsson AB 1997-2009. All Rights Reserved.
- *
+ *
+ * Copyright Ericsson AB 1997-2010. All Rights Reserved.
+ *
* The contents of this file are subject to the Erlang Public License,
* Version 1.1, (the "License"); you may not use this file except in
* compliance with the License. You should have received a copy of the
* Erlang Public License along with this software. If not, it can be
* retrieved online at http://www.erlang.org/.
- *
+ *
* Software distributed under the License is distributed on an "AS IS"
* basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
* the License for the specific language governing rights and limitations
* under the License.
- *
+ *
* %CopyrightEnd%
*/
/*
@@ -388,7 +388,7 @@ static int ram_file_uuencode(RamFile *f)
{
int code_len = UULINE(UNIX_LINE);
int len = f->end;
- int usize = (len*4+2)/3 + 2*(len/code_len+1) + 2 + 1;
+ int usize = 4*((len+2)/3) + 2*((len+code_len-1)/code_len) + 2;
ErlDrvBinary* bin;
uchar* inp;
uchar* outp;
@@ -433,7 +433,7 @@ static int ram_file_uuencode(RamFile *f)
*outp++ = ' '; /* this end of file 0 length !!! */
*outp++ = '\n';
count += 2;
-
+ ASSERT(count == usize);
driver_free_binary(f->bin);
ram_file_set(f, bin, usize, count);
return numeric_reply(f, count);
diff --git a/lib/asn1/c_src/asn1_erl_driver.c b/lib/asn1/c_src/asn1_erl_driver.c
index cd2e63a363..fd284e5800 100644
--- a/lib/asn1/c_src/asn1_erl_driver.c
+++ b/lib/asn1/c_src/asn1_erl_driver.c
@@ -1,19 +1,19 @@
/*
* %CopyrightBegin%
- *
- * Copyright Ericsson AB 2002-2009. All Rights Reserved.
- *
+ *
+ * Copyright Ericsson AB 2002-2010. All Rights Reserved.
+ *
* The contents of this file are subject to the Erlang Public License,
* Version 1.1, (the "License"); you may not use this file except in
* compliance with the License. You should have received a copy of the
* Erlang Public License along with this software. If not, it can be
* retrieved online at http://www.erlang.org/.
- *
+ *
* Software distributed under the License is distributed on an "AS IS"
* basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
* the License for the specific language governing rights and limitations
* under the License.
- *
+ *
* %CopyrightEnd%
*
*/
@@ -206,7 +206,11 @@ int asn1_drv_control(ErlDrvData handle,
set_port_control_flags(a_data->port, PORT_CONTROL_FLAG_BINARY);
if (command == ASN1_COMPLETE)
- { /* Do the PER complete encode step */
+ {
+ if (buf_len==0) {
+ return 0; /* Avoid binary buffer overwrite (OTP-8451) */
+ }
+ /* Do the PER complete encode step */
if ((drv_binary = driver_alloc_binary(buf_len))==NULL) {
/* error handling */
set_port_control_flags(a_data->port, 0);
diff --git a/lib/kernel/test/ram_file_SUITE.erl b/lib/kernel/test/ram_file_SUITE.erl
index 55c9497670..798a37d3dc 100644
--- a/lib/kernel/test/ram_file_SUITE.erl
+++ b/lib/kernel/test/ram_file_SUITE.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2001-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2001-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -472,20 +472,25 @@ uuencode(Config) when is_list(Config) ->
%%
%% Uuencode and decode test
%%
- ?line {ok, 0} = ?FILE_MODULE:position(FdReal, bof),
- ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof),
- ?line ok = ?FILE_MODULE:truncate(Fd),
- ?line {ok, Sz} = ?FILE_MODULE:copy(FdReal, Fd),
- ?line {ok, SzUu} = ?RAM_FILE_MODULE:uuencode(Fd),
- ?line true = (Sz =< SzUu),
- ?line {ok, Sz } = ?RAM_FILE_MODULE:uudecode(Fd),
- ?line {ok, 0} = ?FILE_MODULE:position(FdReal, bof),
- ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof),
- ?line true = compare(FdReal, Fd),
- %%
+ F = fun(Offs) ->
+ Size = Sz - Offs,
+ ?line {ok, Offs} = ?FILE_MODULE:position(FdReal, {bof,Offs}),
+ ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof),
+ ?line ok = ?FILE_MODULE:truncate(Fd),
+ ?line {ok, Size} = ?FILE_MODULE:copy(FdReal, Fd),
+ ?line {ok, SizeUu} = ?RAM_FILE_MODULE:uuencode(Fd),
+ ?line true = (Size =< SizeUu),
+ ?line {ok, Size} = ?RAM_FILE_MODULE:uudecode(Fd),
+ ?line {ok, Offs} = ?FILE_MODULE:position(FdReal, {bof,Offs}),
+ ?line {ok, 0} = ?FILE_MODULE:position(Fd, bof),
+ ?line true = compare(FdReal, Fd)
+ end,
+ lists:foreach(F, lists:seq(0,Sz-1, 43)),
+
?line ok = ?FILE_MODULE:close(FdReal),
?line ok = ?FILE_MODULE:close(Fd),
?line ok = ?FILE_MODULE:close(FdRealUu),
+ %%
ok.