From 3a44b99cc6f14a87242e2dddc57f191f853cfd90 Mon Sep 17 00:00:00 2001 From: Sverker Eriksson Date: Thu, 18 Feb 2010 14:59:46 +0000 Subject: OTP-8451 Harmless buffer overflow by one byte in asn1 and ram_file_drv. --- erts/emulator/beam/erl_binary.h | 20 +++++++++++++++----- erts/emulator/drivers/common/ram_file_drv.c | 14 +++++++------- 2 files changed, 22 insertions(+), 12 deletions(-) (limited to 'erts/emulator') diff --git a/erts/emulator/beam/erl_binary.h b/erts/emulator/beam/erl_binary.h index 21d4e3fdfd..1f948a9684 100644 --- a/erts/emulator/beam/erl_binary.h +++ b/erts/emulator/beam/erl_binary.h @@ -195,10 +195,20 @@ erts_free_aligned_binary_bytes(byte* buf) } } +/* Explicit extra bytes allocated to counter buggy drivers. +** These extra bytes where earlier (< R13B04) added by an alignment-bug +** in this code. Do we dare remove this in some major release (R14?) maybe? +*/ +#ifdef DEBUG +# define CHICKEN_PAD 0 +#else +# define CHICKEN_PAD (sizeof(void*) - 1) +#endif + ERTS_GLB_INLINE Binary * erts_bin_drv_alloc_fnf(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc_fnf(ERTS_ALC_T_DRV_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -208,7 +218,7 @@ erts_bin_drv_alloc_fnf(Uint size) ERTS_GLB_INLINE Binary * erts_bin_drv_alloc(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc(ERTS_ALC_T_DRV_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -219,7 +229,7 @@ erts_bin_drv_alloc(Uint size) ERTS_GLB_INLINE Binary * erts_bin_nrml_alloc(Uint size) { - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; void *res; res = erts_alloc(ERTS_ALC_T_BINARY, bsize); ERTS_CHK_BIN_ALIGNMENT(res); @@ -230,7 +240,7 @@ ERTS_GLB_INLINE Binary * erts_bin_realloc_fnf(Binary *bp, Uint size) { Binary *nbp; - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0); if (bp->flags & BIN_FLAG_DRV) nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize); @@ -244,7 +254,7 @@ ERTS_GLB_INLINE Binary * erts_bin_realloc(Binary *bp, Uint size) { Binary *nbp; - Uint bsize = ERTS_SIZEOF_Binary(size); + Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD; ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0); if (bp->flags & BIN_FLAG_DRV) nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize); diff --git a/erts/emulator/drivers/common/ram_file_drv.c b/erts/emulator/drivers/common/ram_file_drv.c index 2e3aeb981e..4a39a156e6 100644 --- a/erts/emulator/drivers/common/ram_file_drv.c +++ b/erts/emulator/drivers/common/ram_file_drv.c @@ -1,19 +1,19 @@ /* * %CopyrightBegin% - * - * Copyright Ericsson AB 1997-2009. All Rights Reserved. - * + * + * Copyright Ericsson AB 1997-2010. All Rights Reserved. + * * The contents of this file are subject to the Erlang Public License, * Version 1.1, (the "License"); you may not use this file except in * compliance with the License. You should have received a copy of the * Erlang Public License along with this software. If not, it can be * retrieved online at http://www.erlang.org/. - * + * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See * the License for the specific language governing rights and limitations * under the License. - * + * * %CopyrightEnd% */ /* @@ -388,7 +388,7 @@ static int ram_file_uuencode(RamFile *f) { int code_len = UULINE(UNIX_LINE); int len = f->end; - int usize = (len*4+2)/3 + 2*(len/code_len+1) + 2 + 1; + int usize = 4*((len+2)/3) + 2*((len+code_len-1)/code_len) + 2; ErlDrvBinary* bin; uchar* inp; uchar* outp; @@ -433,7 +433,7 @@ static int ram_file_uuencode(RamFile *f) *outp++ = ' '; /* this end of file 0 length !!! */ *outp++ = '\n'; count += 2; - + ASSERT(count == usize); driver_free_binary(f->bin); ram_file_set(f, bin, usize, count); return numeric_reply(f, count); -- cgit v1.2.3