ei: prevent overflow in ei_connect_init/ei_xconnect

Check the length of the buffer before copying.

ei_cnode ec;
struct in_addr addr;
char *node = (char *)calloc(5001, 1);
(void)memset(node, 'x', 5000);

ei_connect_init(&ec, node, "", 0);

addr.s_addr = inet_addr("192.168.1.1");
ei_xconnect(&ec, &addr, node);

1 files changed, 12 insertions, 0 deletions

diff --git a/lib/erl_interface/src/epmd/epmd_port.c b/lib/erl_interface/src/epmd/epmd_port.c
index 663b38d2d4..cf6122fafa 100644
--- a/lib/erl_interface/src/epmd/epmd_port.c
+++ b/lib/erl_interface/src/epmd/epmd_port.c
@@ -106,6 +106,12 @@ static int ei_epmd_r3_port (struct in_addr *addr, const char *alive,
   char ntoabuf[32];
 #endif
   
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
+
   put16be(s,len);
   put8(s,EI_EPMD_PORT_REQ);
   strcpy(s,alive);
@@ -164,6 +170,12 @@ static int ei_epmd_r4_port (struct in_addr *addr, const char *alive,
 #if defined(VXWORKS)
   char ntoabuf[32];
 #endif
+
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
   
   put16be(s,len);
   put8(s,EI_EPMD_PORT2_REQ);