Merge branch 'ms/ei-overflow-fix' into dev

* ms/ei-overflow-fix:
  ei: prevent overflow in ei_connect_init/ei_xconnect

OTP-8814

2 files changed, 18 insertions, 2 deletions

diff --git a/lib/erl_interface/src/connect/ei_connect.c b/lib/erl_interface/src/connect/ei_connect.c
index b1b79aa0e5..e191f3fbf0 100644
--- a/lib/erl_interface/src/connect/ei_connect.c
+++ b/lib/erl_interface/src/connect/ei_connect.c
@@ -502,10 +502,14 @@ int ei_connect_init(ei_cnode* ec, const char* this_node_name,
 	return ERL_ERROR;
     }
 
-    if (this_node_name == NULL)
+    if (this_node_name == NULL) {
 	sprintf(thisalivename, "c%d", (int) getpid());
-    else
+    } else if (strlen(this_node_name) >= sizeof(thisalivename)) {
+	EI_TRACE_ERR0("ei_connect_init","ERROR: this_node_name too long");
+	return ERL_ERROR;
+    } else {
 	strcpy(thisalivename, this_node_name);
+    }
     
     if ((hp = ei_gethostbyname(thishostname)) == 0) {
 	/* Looking up IP given hostname fails. We must be on a standalone
diff --git a/lib/erl_interface/src/epmd/epmd_port.c b/lib/erl_interface/src/epmd/epmd_port.c
index 663b38d2d4..cf6122fafa 100644
--- a/lib/erl_interface/src/epmd/epmd_port.c
+++ b/lib/erl_interface/src/epmd/epmd_port.c
@@ -106,6 +106,12 @@ static int ei_epmd_r3_port (struct in_addr *addr, const char *alive,
   char ntoabuf[32];
 #endif
   
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
+
   put16be(s,len);
   put8(s,EI_EPMD_PORT_REQ);
   strcpy(s,alive);
@@ -164,6 +170,12 @@ static int ei_epmd_r4_port (struct in_addr *addr, const char *alive,
 #if defined(VXWORKS)
   char ntoabuf[32];
 #endif
+
+  if (len > sizeof(buf) - 3)
+  {
+      erl_errno = ERANGE;
+      return -1;
+  }
   
   put16be(s,len);
   put8(s,EI_EPMD_PORT2_REQ);