diff options
author | Patrik Nyblom <[email protected]> | 2010-08-25 11:47:11 +0200 |
---|---|---|
committer | Patrik Nyblom <[email protected]> | 2010-08-31 15:42:52 +0200 |
commit | 716d3f57b471b2e2c3b5772008f5d32767c6cbeb (patch) | |
tree | 20e641e653b148827af5ddc4dae6249c4256ad15 /erts/epmd/test | |
parent | f5be3aeaef131d19741084dbf8fee16458d31513 (diff) | |
download | otp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.tar.gz otp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.tar.bz2 otp-716d3f57b471b2e2c3b5772008f5d32767c6cbeb.zip |
Remove two buffer overflow vulnerabilities in EPMD
Diffstat (limited to 'erts/epmd/test')
-rw-r--r-- | erts/epmd/test/epmd_SUITE.erl | 62 |
1 files changed, 60 insertions, 2 deletions
diff --git a/erts/epmd/test/epmd_SUITE.erl b/erts/epmd/test/epmd_SUITE.erl index 88980fec63..5bcbe96b31 100644 --- a/erts/epmd/test/epmd_SUITE.erl +++ b/erts/epmd/test/epmd_SUITE.erl @@ -63,7 +63,9 @@ alive_req_too_large/1, returns_valid_empty_extra/1, - returns_valid_populated_extra_with_nulls/1 + returns_valid_populated_extra_with_nulls/1, + buffer_overrun_1/1, + buffer_overrun_2/1 ]). @@ -121,7 +123,10 @@ all(suite) -> alive_req_too_large, returns_valid_empty_extra, - returns_valid_populated_extra_with_nulls + returns_valid_populated_extra_with_nulls, + + buffer_overrun_1, + buffer_overrun_2 ]. %% @@ -705,6 +710,59 @@ returns_valid_populated_extra_with_nulls(Config) when is_list(Config) -> ?line ok = close(Sock), ok. + +buffer_overrun_1(suite) -> + []; +buffer_overrun_1(doc) -> + ["Test security vulnerability in fake extra lengths in alive2_req"]; +buffer_overrun_1(Config) when is_list(Config) -> + ?line ok = epmdrun(), + ?line true = alltrue([hostile(N) || N <- lists:seq(1,10000)]), + ok. +buffer_overrun_2(suite) -> + []; +buffer_overrun_2(doc) -> + ["Test security vulnerability in fake extra lengths in alive2_req"]; +buffer_overrun_2(Config) when is_list(Config) -> + ?line ok = epmdrun(), + ?line [false | Rest] = [hostile2(N) || N <- lists:seq(255,10000)], + ?line true = alltrue(Rest), + ok. +hostile(N) -> + try + Bin= <<$x:8,4747:16,$M:8,0:8,5:16,5:16,5:16,"gurka",N:16>>, + S = size(Bin), + {ok,E}=connect(), + gen_tcp:send(E,[<<S:16>>,Bin]), + closed = recv(E,1), + gen_tcp:close(E), + true + catch + _:_ -> + false + end. +hostile2(N) -> + try + B2 = list_to_binary(lists:duplicate(N,255)), + Bin= <<$x:8,4747:16,$M:8,0:8,5:16,5:16,5:16,"gurka",N:16,B2/binary>>, + S = size(Bin), + {ok,E}=connect(), + gen_tcp:send(E,[<<S:16>>,Bin]), + Z = recv(E,2), + gen_tcp:close(E), + (Z =:= closed) or (Z =:= {ok, [$y,1]}) + catch + _:_ -> + false + end. + +alltrue([]) -> + true; +alltrue([true|T]) -> + alltrue(T); +alltrue([_|_]) -> + false. + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Terminate all tests with killing epmd. |