diff options
author | Sverker Eriksson <[email protected]> | 2011-11-23 11:00:18 +0100 |
---|---|---|
committer | Raimo Niskanen <[email protected]> | 2011-11-28 15:20:35 +0100 |
commit | bc09f6a6eda75c4e1df708cb523ffc76340c066d (patch) | |
tree | 7fc17a6f945855197f930b5878224fb210ab6658 /erts | |
parent | ccf2297b252074a5dd05b58af7eee0cb90d51378 (diff) | |
download | otp-bc09f6a6eda75c4e1df708cb523ffc76340c066d.tar.gz otp-bc09f6a6eda75c4e1df708cb523ffc76340c066d.tar.bz2 otp-bc09f6a6eda75c4e1df708cb523ffc76340c066d.zip |
erts: Fix faulty udp-buffer handling
Caused core dump with gen_udp_SUITE on halfword vm.
Diffstat (limited to 'erts')
-rw-r--r-- | erts/emulator/drivers/common/inet_drv.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/erts/emulator/drivers/common/inet_drv.c b/erts/emulator/drivers/common/inet_drv.c index 1fe9e04341..dcc2954b02 100644 --- a/erts/emulator/drivers/common/inet_drv.c +++ b/erts/emulator/drivers/common/inet_drv.c @@ -10269,6 +10269,7 @@ static int packet_inet_input(udp_descriptor* udesc, HANDLE event) int code; void * extra = NULL; char * ptr; + int nsz; inet_input_count(desc, n); udesc->i_ptr += n; @@ -10282,17 +10283,19 @@ static int packet_inet_input(udp_descriptor* udesc, HANDLE event) ptr = udesc->i_buf->orig_bytes + sizeof(other) - len; sys_memcpy(ptr, abuf, len); + nsz = udesc->i_ptr - ptr; + /* Check if we need to reallocate binary */ - if ((desc->mode == INET_MODE_BINARY) && - (desc->hsz < (udesc->i_ptr - ptr)) && - ((udesc->i_ptr - ptr) + BIN_REALLOC_MARGIN(desc->bufsz) >= - udesc->i_bufsz)) { + if ((desc->mode == INET_MODE_BINARY) + && (desc->hsz < (nsz - len)) + && (nsz + BIN_REALLOC_MARGIN(desc->bufsz) < udesc->i_bufsz)) { ErlDrvBinary* tmp; int bufsz; bufsz = udesc->i_ptr - udesc->i_buf->orig_bytes; if ((tmp = realloc_buffer(udesc->i_buf, bufsz)) != NULL) { udesc->i_buf = tmp; udesc->i_bufsz = bufsz; + udesc->i_ptr = NULL; /* not used from here */ } } #ifdef HAVE_SCTP @@ -10300,8 +10303,8 @@ static int packet_inet_input(udp_descriptor* udesc, HANDLE event) #endif /* Actual parsing and return of the data received, occur here: */ code = packet_reply_binary_data(desc, len, udesc->i_buf, - ptr - udesc->i_buf->orig_bytes, - udesc->i_ptr - ptr, + (sizeof(other) - len), + nsz, extra); free_buffer(udesc->i_buf); udesc->i_buf = NULL; |