From d34e248f0913a337f1662e07b15298f9a082834b Mon Sep 17 00:00:00 2001
From: Raimo Niskanen <raimo@erlang.org>
Date: Thu, 15 Dec 2011 14:29:58 +0100
Subject: erts: Bugfix - driver_deq freed wrong length due to short type (int)

---
 erts/emulator/beam/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'erts/emulator')

diff --git a/erts/emulator/beam/io.c b/erts/emulator/beam/io.c
index 49cd0e5f53..6b89fc32e9 100644
--- a/erts/emulator/beam/io.c
+++ b/erts/emulator/beam/io.c
@@ -3912,7 +3912,7 @@ int driver_pushqv(ErlDrvPort ix, ErlIOVec* vec, ErlDrvSizeT skip)
 ErlDrvSizeT driver_deq(ErlDrvPort ix, ErlDrvSizeT size)
 {
     ErlIOQueue* q = drvport2ioq(ix);
-    int len;
+    ErlDrvSizeT len;
 
     if ((q == NULL) || (q->size < size))
 	return -1;
-- 
cgit v1.2.3


From b3db46435e2d32aa4197753bc95a81648f794021 Mon Sep 17 00:00:00 2001
From: Raimo Niskanen <raimo@erlang.org>
Date: Thu, 8 Dec 2011 13:32:09 +0100
Subject: erts: rewrite efile_writev to handle partial writes correctly

---
 erts/emulator/drivers/common/efile_drv.c |  8 ++-
 erts/emulator/drivers/common/erl_efile.h |  2 +-
 erts/emulator/drivers/unix/unix_efile.c  | 97 +++++++++++++-------------------
 erts/emulator/drivers/win32/win_efile.c  |  3 +-
 4 files changed, 46 insertions(+), 64 deletions(-)

(limited to 'erts/emulator')

diff --git a/erts/emulator/drivers/common/efile_drv.c b/erts/emulator/drivers/common/efile_drv.c
index b132991a3b..36ed108b76 100644
--- a/erts/emulator/drivers/common/efile_drv.c
+++ b/erts/emulator/drivers/common/efile_drv.c
@@ -1385,7 +1385,11 @@ static void invoke_writev(void *data) {
 	size = d->c.writev.size;
     }
 
-    /* Copy the io vector to avoid locking the port que while writing */
+    /* Copy the io vector to avoid locking the port que while writing,
+     * also, both we and efile_writev might/will change the SysIOVec
+     * when segmenting or due to partial write and we do not want to
+     * tamper with the actual queue that we get from driver_peekq
+     */
     MUTEX_LOCK(d->c.writev.q_mtx); /* Lock before accessing the port queue */
     iov0 = driver_peekq(d->c.writev.port, &iovlen);
 
@@ -1424,7 +1428,7 @@ static void invoke_writev(void *data) {
 	} else {
 	    d->result_ok = efile_writev(&d->errInfo, 
 					d->flags, (int) d->fd,
-					iov, iovcnt, size);
+					iov, iovcnt);
 	}
     } else if (iovlen == 0) {
 	d->result_ok = 1;
diff --git a/erts/emulator/drivers/common/erl_efile.h b/erts/emulator/drivers/common/erl_efile.h
index 3868b38137..69ad02633c 100644
--- a/erts/emulator/drivers/common/erl_efile.h
+++ b/erts/emulator/drivers/common/erl_efile.h
@@ -162,7 +162,7 @@ int efile_write_info(Efile_error* errInfo, Efile_info* pInfo, char *name);
 int efile_write(Efile_error* errInfo, int flags, int fd, 
 		char* buf, size_t count);
 int efile_writev(Efile_error* errInfo, int flags, int fd, 
-		 SysIOVec* iov, int iovcnt, size_t size);
+		 SysIOVec* iov, int iovcnt);
 int efile_read(Efile_error* errInfo, int flags, int fd, 
 	       char* buf, size_t count, size_t* pBytesRead);
 int efile_seek(Efile_error* errInfo, int fd, 
diff --git a/erts/emulator/drivers/unix/unix_efile.c b/erts/emulator/drivers/unix/unix_efile.c
index 7cf0a712ce..e7dd9d2bdb 100644
--- a/erts/emulator/drivers/unix/unix_efile.c
+++ b/erts/emulator/drivers/unix/unix_efile.c
@@ -1004,13 +1004,11 @@ efile_writev(Efile_error* errInfo,   /* Where to return error codes */
 				      * opened */
 	     int fd,                 /* File descriptor to write to */
 	     SysIOVec* iov,          /* Vector of buffer structs.
-				      * The structs are unchanged 
-				      * after the call */
-	     int iovcnt,             /* Number of structs in vector */
-	     size_t size)            /* Number of bytes to write */
+				      * The structs may be changed i.e.
+				      * due to incomplete writes */
+	     int iovcnt)             /* Number of structs in vector */
 {
     int cnt = 0;                     /* Buffers so far written */
-    int p = 0;                       /* Position in next buffer */
 
     ASSERT(iovcnt >= 0);
     
@@ -1021,66 +1019,47 @@ efile_writev(Efile_error* errInfo,   /* Where to return error codes */
 #endif
 
     while (cnt < iovcnt) {
+	if ((! iov[cnt].iov_base) || (iov[cnt].iov_len <= 0)) {
+	    /* Empty buffer - skip */
+	    cnt++;
+	} else { /* Non-empty buffer */
+	    ssize_t w;                   /* Bytes written in this call */
 #ifdef HAVE_WRITEV
-	int w;                       /* Bytes written in this call */
-	int b = iovcnt - cnt;        /* Buffers to write */
-	if (b > MAXIOV)
-	    b = MAXIOV;
-	if (iov[cnt].iov_base && iov[cnt].iov_len > 0) {
-	    if (b == 1) {
-		/* Degenerated io vector */
-		do {
-		    w = write(fd, iov[cnt].iov_base + p, iov[cnt].iov_len - p);
-		} while (w < 0 && errno == EINTR);
-	    } else {
-		/* Non-empty vector first.
-		 * Adjust pos in first buffer in case of 
-		 * previous incomplete writev */
-		iov[cnt].iov_base += p;
-		iov[cnt].iov_len  -= p;
+	    int b = iovcnt - cnt;        /* Buffers to write */
+	    /* Use as many buffers as MAXIOV allows */
+	    if (b > MAXIOV)
+		b = MAXIOV;
+	    if (b > 1) {
 		do {
 		    w = writev(fd, &iov[cnt], b);
 		} while (w < 0 && errno == EINTR);
-		iov[cnt].iov_base -= p;
-		iov[cnt].iov_len  += p;
-	    }
-	    if (w < 0)
-		return check_error(-1, errInfo);
-	} else {
-	    /* Empty vector first - skip */
-	    cnt++;
-	    continue;
-	}
-	ASSERT(w >= 0);
-	/* Move forward to next vector to write */
-	for (; cnt < iovcnt; cnt++) {
-	    if (iov[cnt].iov_base && iov[cnt].iov_len > 0) {
-		if (w < iov[cnt].iov_len)
-		    break;
-		else
-		    w -= iov[cnt].iov_len;
-	    }
-	}
-	ASSERT(w >= 0);
-	p = w > 0 ? w : 0; /* Skip p bytes next writev */
-#else /* #ifdef HAVE_WRITEV */
-	if (iov[cnt].iov_base && iov[cnt].iov_len > 0) {
-	    /* Non-empty vector */
-	    int w;                   /* Bytes written in this call */
-	    while (p < iov[cnt].iov_len) {
-		do {
-		    w = write(fd, iov[cnt].iov_base + p, iov[cnt].iov_len - p);
-		} while (w < 0 && errno == EINTR);
-		if (w < 0)
-		    return check_error(-1, errInfo);
-		p += w;
+	    } else
+		/* Degenerated io vector - use regular write */
+#endif
+		{
+		    do {
+			w = write(fd, iov[cnt].iov_base, iov[cnt].iov_len);
+		    } while (w < 0 && errno == EINTR);
+		    ASSERT(w <= iov[cnt].iov_len);
+		}
+	    if (w < 0) return check_error(-1, errInfo);
+	    /* Move forward to next buffer to write */
+	    for (; cnt < iovcnt && w > 0; cnt++) {
+		if (iov[cnt].iov_base && iov[cnt].iov_len > 0) {
+		    if (w < iov[cnt].iov_len) {
+			/* Adjust the buffer for next write */
+			iov[cnt].iov_len -= w;
+			iov[cnt].iov_base += w;
+			w = 0;
+			break;
+		    } else {
+			w -= iov[cnt].iov_len;
+		    }
+		}
 	    }
-	}
-	cnt++;
-	p = 0;
-#endif /* #ifdef HAVE_WRITEV */
+	    ASSERT(w == 0);
+	} /* else Non-empty buffer */
     } /* while (cnt< iovcnt) */
-    size = 0; /* Avoid compiler warning */
     return 1;
 }
 
diff --git a/erts/emulator/drivers/win32/win_efile.c b/erts/emulator/drivers/win32/win_efile.c
index 0d3d334154..606fa1d7de 100644
--- a/erts/emulator/drivers/win32/win_efile.c
+++ b/erts/emulator/drivers/win32/win_efile.c
@@ -1115,8 +1115,7 @@ efile_writev(Efile_error* errInfo,   /* Where to return error codes */
 	     SysIOVec* iov,          /* Vector of buffer structs.
 				      * The structs are unchanged 
 				      * after the call */
-	     int iovcnt,             /* Number of structs in vector */
-	     size_t size)            /* Number of bytes to write */
+	     int iovcnt)             /* Number of structs in vector */
 {
     int cnt;                         /* Buffers so far written */
     OVERLAPPED overlapped;
-- 
cgit v1.2.3


From 308721c56345aa6ee0d81d891f036b59541f3cc6 Mon Sep 17 00:00:00 2001
From: Raimo Niskanen <raimo@erlang.org>
Date: Wed, 4 Jan 2012 17:24:04 +0100
Subject: erts: Badarg if port output overflows iov_len

---
 erts/emulator/beam/io.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'erts/emulator')

diff --git a/erts/emulator/beam/io.c b/erts/emulator/beam/io.c
index 6b89fc32e9..b23b1f628d 100644
--- a/erts/emulator/beam/io.c
+++ b/erts/emulator/beam/io.c
@@ -1,7 +1,7 @@
 /*
  * %CopyrightBegin%
  *
- * Copyright Ericsson AB 1996-2011. All Rights Reserved.
+ * Copyright Ericsson AB 1996-2012. All Rights Reserved.
  *
  * The contents of this file are subject to the Erlang Public License,
  * Version 1.1, (the "License"); you may not use this file except in
@@ -818,6 +818,11 @@ erts_smp_xports_unlock(Port *prt)
 #define SET_VEC(iov, bv, bin, ptr, len, vlen) do {	\
    (iov)->iov_base = (ptr);				\
    (iov)->iov_len = (len);				\
+   if (sizeof((iov)->iov_len) < sizeof(len)				\
+       /* Check if (len) overflowed (iov)->iov_len */			\
+       && ((len) >> (sizeof((iov)->iov_len)*CHAR_BIT)) != 0) {		\
+       goto L_overflow;							\
+   }									\
    *(bv)++ = (bin);					\
    (iov)++;						\
    (vlen)++;						\
@@ -1146,11 +1151,21 @@ int erts_write_to_port(Eterm caller_id, Port *p, Eterm list)
 	ivp[0].iov_len = 0;
 	bvp[0] = NULL;
 	ev.vsize = io_list_to_vec(list, ivp+1, bvp+1, cbin, blimit);
+	if (ev.vsize < 0) {
+	    if (ivp != iv) {
+		erts_free(ERTS_ALC_T_TMP, (void *) ivp);
+	    }
+	    if (bvp != bv) {
+		erts_free(ERTS_ALC_T_TMP, (void *) bvp);
+	    }
+	    driver_free_binary(cbin);
+	    goto bad_value;
+	}
 	ev.vsize++;
 #if 0
 	/* This assertion may say something useful, but it can
 	   be falsified during the emulator test suites. */
-	ASSERT((ev.vsize >= 0) && (ev.vsize == vsize));
+	ASSERT(ev.vsize == vsize);
 #endif
 	ev.size = size;  /* total size */
 	ev.iov = ivp;
-- 
cgit v1.2.3