diff options
author | Michael Santos <[email protected]> | 2011-01-23 18:16:10 -0500 |
---|---|---|
committer | Björn-Egil Dahlberg <[email protected]> | 2011-02-22 16:46:59 +0100 |
commit | 0b9795fa8145dcb06639cbb67a376e440b4fbc92 (patch) | |
tree | 99fd86fbcdc9daacee03df1b0438ad3ba1372fc0 /lib/erl_interface/src/decode | |
parent | 91275b07fb6151b1ec201ac9c8380b7b96724b63 (diff) | |
download | otp-0b9795fa8145dcb06639cbb67a376e440b4fbc92.tar.gz otp-0b9795fa8145dcb06639cbb67a376e440b4fbc92.tar.bz2 otp-0b9795fa8145dcb06639cbb67a376e440b4fbc92.zip |
ei: buffer overflow when decoding atoms
Diffstat (limited to 'lib/erl_interface/src/decode')
-rw-r--r-- | lib/erl_interface/src/decode/decode_atom.c | 2 | ||||
-rw-r--r-- | lib/erl_interface/src/decode/decode_pid.c | 2 | ||||
-rw-r--r-- | lib/erl_interface/src/decode/decode_port.c | 2 | ||||
-rw-r--r-- | lib/erl_interface/src/decode/decode_ref.c | 3 |
4 files changed, 9 insertions, 0 deletions
diff --git a/lib/erl_interface/src/decode/decode_atom.c b/lib/erl_interface/src/decode/decode_atom.c index b247bd4e17..ef28838b79 100644 --- a/lib/erl_interface/src/decode/decode_atom.c +++ b/lib/erl_interface/src/decode/decode_atom.c @@ -31,6 +31,8 @@ int ei_decode_atom(const char *buf, int *index, char *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p,s,len); p[len] = (char)0; diff --git a/lib/erl_interface/src/decode/decode_pid.c b/lib/erl_interface/src/decode/decode_pid.c index 5f2aec3b44..48a0c68240 100644 --- a/lib/erl_interface/src/decode/decode_pid.c +++ b/lib/erl_interface/src/decode/decode_pid.c @@ -33,6 +33,8 @@ int ei_decode_pid(const char *buf, int *index, erlang_pid *p) if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + + if (len > MAXATOMLEN) return -1; if (p) { memmove(p->node, s, len); diff --git a/lib/erl_interface/src/decode/decode_port.c b/lib/erl_interface/src/decode/decode_port.c index 7fb7d8d414..296ebae024 100644 --- a/lib/erl_interface/src/decode/decode_port.c +++ b/lib/erl_interface/src/decode/decode_port.c @@ -34,6 +34,8 @@ int ei_decode_port(const char *buf, int *index, erlang_port *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p->node, s, len); p->node[len] = (char)0; diff --git a/lib/erl_interface/src/decode/decode_ref.c b/lib/erl_interface/src/decode/decode_ref.c index 6fc2cd6533..691b51fe2d 100644 --- a/lib/erl_interface/src/decode/decode_ref.c +++ b/lib/erl_interface/src/decode/decode_ref.c @@ -35,6 +35,8 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p->node, s, len); p->node[len] = (char)0; @@ -62,6 +64,7 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p) /* then the nodename */ if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + if (len > MAXATOMLEN) return -1; if (p) { memmove(p->node, s, len); |