aboutsummaryrefslogtreecommitdiffstats
path: root/lib/observer/src/cdv_dist_cb.erl
diff options
context:
space:
mode:
authorMikael Pettersson <[email protected]>2018-04-21 13:39:11 +0200
committerMikael Pettersson <[email protected]>2018-04-21 13:39:11 +0200
commitbf96458d2abfc22abbb3c4ae5126859421b054d7 (patch)
tree6712610da8f962fd6258409fcd2630b3545b67b0 /lib/observer/src/cdv_dist_cb.erl
parent0343b68b053ee97b2ef70ea07b9aa87e8842c591 (diff)
downloadotp-bf96458d2abfc22abbb3c4ae5126859421b054d7.tar.gz
otp-bf96458d2abfc22abbb3c4ae5126859421b054d7.tar.bz2
otp-bf96458d2abfc22abbb3c4ae5126859421b054d7.zip
fix integer truncation bugs in error logger path
Sending a large term to the error logger has two problems related to the size and sign of the variables used to represent lengths: - the API functions (erts_send_error_term_to_logger() et al) perform an unchecked narrowing conversion from size_t to int when passing dsbufp->str_len to the internal functions; this may both truncate the length and make it negative - do_send_term_to_logger() and do_send_to_logger() multiply the int-typed length by 2 before widening it to Uint and adding a few more values; the intermediate product may overflow causing loss of high bits and a change of sign; if the intermediate product is negative the final size will be an extremely large positive value The end result is that the computed buffer size can be arbitrarily wrong, either too small or too large. While reviewing this code I also found and fixed a potential narrowing bug in erts_set_hole_marker().
Diffstat (limited to 'lib/observer/src/cdv_dist_cb.erl')
0 files changed, 0 insertions, 0 deletions