From 0b9795fa8145dcb06639cbb67a376e440b4fbc92 Mon Sep 17 00:00:00 2001 From: Michael Santos Date: Sun, 23 Jan 2011 18:16:10 -0500 Subject: ei: buffer overflow when decoding atoms --- lib/erl_interface/src/decode/decode_atom.c | 2 ++ lib/erl_interface/src/decode/decode_pid.c | 2 ++ lib/erl_interface/src/decode/decode_port.c | 2 ++ lib/erl_interface/src/decode/decode_ref.c | 3 +++ lib/erl_interface/src/misc/ei_decode_term.c | 5 +++++ 5 files changed, 14 insertions(+) diff --git a/lib/erl_interface/src/decode/decode_atom.c b/lib/erl_interface/src/decode/decode_atom.c index b247bd4e17..ef28838b79 100644 --- a/lib/erl_interface/src/decode/decode_atom.c +++ b/lib/erl_interface/src/decode/decode_atom.c @@ -31,6 +31,8 @@ int ei_decode_atom(const char *buf, int *index, char *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p,s,len); p[len] = (char)0; diff --git a/lib/erl_interface/src/decode/decode_pid.c b/lib/erl_interface/src/decode/decode_pid.c index 5f2aec3b44..48a0c68240 100644 --- a/lib/erl_interface/src/decode/decode_pid.c +++ b/lib/erl_interface/src/decode/decode_pid.c @@ -33,6 +33,8 @@ int ei_decode_pid(const char *buf, int *index, erlang_pid *p) if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + + if (len > MAXATOMLEN) return -1; if (p) { memmove(p->node, s, len); diff --git a/lib/erl_interface/src/decode/decode_port.c b/lib/erl_interface/src/decode/decode_port.c index 7fb7d8d414..296ebae024 100644 --- a/lib/erl_interface/src/decode/decode_port.c +++ b/lib/erl_interface/src/decode/decode_port.c @@ -34,6 +34,8 @@ int ei_decode_port(const char *buf, int *index, erlang_port *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p->node, s, len); p->node[len] = (char)0; diff --git a/lib/erl_interface/src/decode/decode_ref.c b/lib/erl_interface/src/decode/decode_ref.c index 6fc2cd6533..691b51fe2d 100644 --- a/lib/erl_interface/src/decode/decode_ref.c +++ b/lib/erl_interface/src/decode/decode_ref.c @@ -35,6 +35,8 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p) len = get16be(s); + if (len > MAXATOMLEN) return -1; + if (p) { memmove(p->node, s, len); p->node[len] = (char)0; @@ -62,6 +64,7 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p) /* then the nodename */ if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + if (len > MAXATOMLEN) return -1; if (p) { memmove(p->node, s, len); diff --git a/lib/erl_interface/src/misc/ei_decode_term.c b/lib/erl_interface/src/misc/ei_decode_term.c index 75c5dc9460..9b238c1e90 100644 --- a/lib/erl_interface/src/misc/ei_decode_term.c +++ b/lib/erl_interface/src/misc/ei_decode_term.c @@ -49,6 +49,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term) return ei_decode_double(buf, index, &term->value.d_val); case ERL_ATOM_EXT: len = get16be(s); + if (len > MAXATOMLEN) return -1; memcpy(term->value.atom_name, s, len); term->value.atom_name[len] = '\0'; s += len; @@ -57,6 +58,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term) /* first the nodename */ if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + if (len > MAXATOMLEN) return -1; memcpy(term->value.ref.node, s, len); term->value.ref.node[len] = '\0'; s += len; @@ -71,6 +73,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term) /* then the nodename */ if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + if (len > MAXATOMLEN) return -1; memcpy(term->value.ref.node, s, len); term->value.ref.node[len] = '\0'; s += len; @@ -87,6 +90,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term) case ERL_PORT_EXT: if (get8(s) != ERL_ATOM_EXT) return -1; len = get16be(s); + if (len > MAXATOMLEN) return -1; memcpy(term->value.port.node, s, len); term->value.port.node[len] = '\0'; term->value.port.id = get32be(s) & 0x0fffffff; /* 28 bits */; @@ -96,6 +100,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term) if (get8(s) != ERL_ATOM_EXT) return -1; /* name first */ len = get16be(s); + if (len > MAXATOMLEN) return -1; memcpy(term->value.pid.node, s, len); term->value.pid.node[len] = '\0'; s += len; -- cgit v1.2.3