From ada2e2f79db780f4a029e3747ef52a01db3163a6 Mon Sep 17 00:00:00 2001
From: Michael Santos <michael.santos@gmail.com>
Date: Sat, 21 Aug 2010 22:15:01 -0400
Subject: ei: prevent overflow in ei_connect_init/ei_xconnect

Check the length of the buffer before copying.

ei_cnode ec;
struct in_addr addr;
char *node = (char *)calloc(5001, 1);
(void)memset(node, 'x', 5000);

ei_connect_init(&ec, node, "", 0);

addr.s_addr = inet_addr("192.168.1.1");
ei_xconnect(&ec, &addr, node);
---
 lib/erl_interface/src/connect/ei_connect.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'lib/erl_interface/src/connect')

diff --git a/lib/erl_interface/src/connect/ei_connect.c b/lib/erl_interface/src/connect/ei_connect.c
index b1b79aa0e5..e191f3fbf0 100644
--- a/lib/erl_interface/src/connect/ei_connect.c
+++ b/lib/erl_interface/src/connect/ei_connect.c
@@ -502,10 +502,14 @@ int ei_connect_init(ei_cnode* ec, const char* this_node_name,
 	return ERL_ERROR;
     }
 
-    if (this_node_name == NULL)
+    if (this_node_name == NULL) {
 	sprintf(thisalivename, "c%d", (int) getpid());
-    else
+    } else if (strlen(this_node_name) >= sizeof(thisalivename)) {
+	EI_TRACE_ERR0("ei_connect_init","ERROR: this_node_name too long");
+	return ERL_ERROR;
+    } else {
 	strcpy(thisalivename, this_node_name);
+    }
     
     if ((hp = ei_gethostbyname(thishostname)) == 0) {
 	/* Looking up IP given hostname fails. We must be on a standalone
-- 
cgit v1.2.3