aboutsummaryrefslogtreecommitdiffstats
path: root/erts/epmd/test/epmd_SUITE.erl
diff options
context:
space:
mode:
authorPatrik Nyblom <[email protected]>2010-08-25 11:47:11 +0200
committerPatrik Nyblom <[email protected]>2010-08-31 15:42:52 +0200
commit716d3f57b471b2e2c3b5772008f5d32767c6cbeb (patch)
tree20e641e653b148827af5ddc4dae6249c4256ad15 /erts/epmd/test/epmd_SUITE.erl
parentf5be3aeaef131d19741084dbf8fee16458d31513 (diff)
downloadotp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.tar.gz
otp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.tar.bz2
otp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.zip
Remove two buffer overflow vulnerabilities in EPMD
Diffstat (limited to 'erts/epmd/test/epmd_SUITE.erl')
-rw-r--r--erts/epmd/test/epmd_SUITE.erl62
1 files changed, 60 insertions, 2 deletions
diff --git a/erts/epmd/test/epmd_SUITE.erl b/erts/epmd/test/epmd_SUITE.erl
index 88980fec63..5bcbe96b31 100644
--- a/erts/epmd/test/epmd_SUITE.erl
+++ b/erts/epmd/test/epmd_SUITE.erl
@@ -63,7 +63,9 @@
alive_req_too_large/1,
returns_valid_empty_extra/1,
- returns_valid_populated_extra_with_nulls/1
+ returns_valid_populated_extra_with_nulls/1,
+ buffer_overrun_1/1,
+ buffer_overrun_2/1
]).
@@ -121,7 +123,10 @@ all(suite) ->
alive_req_too_large,
returns_valid_empty_extra,
- returns_valid_populated_extra_with_nulls
+ returns_valid_populated_extra_with_nulls,
+
+ buffer_overrun_1,
+ buffer_overrun_2
].
%%
@@ -705,6 +710,59 @@ returns_valid_populated_extra_with_nulls(Config) when is_list(Config) ->
?line ok = close(Sock),
ok.
+
+buffer_overrun_1(suite) ->
+ [];
+buffer_overrun_1(doc) ->
+ ["Test security vulnerability in fake extra lengths in alive2_req"];
+buffer_overrun_1(Config) when is_list(Config) ->
+ ?line ok = epmdrun(),
+ ?line true = alltrue([hostile(N) || N <- lists:seq(1,10000)]),
+ ok.
+buffer_overrun_2(suite) ->
+ [];
+buffer_overrun_2(doc) ->
+ ["Test security vulnerability in fake extra lengths in alive2_req"];
+buffer_overrun_2(Config) when is_list(Config) ->
+ ?line ok = epmdrun(),
+ ?line [false | Rest] = [hostile2(N) || N <- lists:seq(255,10000)],
+ ?line true = alltrue(Rest),
+ ok.
+hostile(N) ->
+ try
+ Bin= <<$x:8,4747:16,$M:8,0:8,5:16,5:16,5:16,"gurka",N:16>>,
+ S = size(Bin),
+ {ok,E}=connect(),
+ gen_tcp:send(E,[<<S:16>>,Bin]),
+ closed = recv(E,1),
+ gen_tcp:close(E),
+ true
+ catch
+ _:_ ->
+ false
+ end.
+hostile2(N) ->
+ try
+ B2 = list_to_binary(lists:duplicate(N,255)),
+ Bin= <<$x:8,4747:16,$M:8,0:8,5:16,5:16,5:16,"gurka",N:16,B2/binary>>,
+ S = size(Bin),
+ {ok,E}=connect(),
+ gen_tcp:send(E,[<<S:16>>,Bin]),
+ Z = recv(E,2),
+ gen_tcp:close(E),
+ (Z =:= closed) or (Z =:= {ok, [$y,1]})
+ catch
+ _:_ ->
+ false
+ end.
+
+alltrue([]) ->
+ true;
+alltrue([true|T]) ->
+ alltrue(T);
+alltrue([_|_]) ->
+ false.
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Terminate all tests with killing epmd.