Skip to content

Commit

Permalink
Merge branch 'ms/ei-buffer-overflow-when-decoding-atoms' into dev
Browse files Browse the repository at this point in the history 
* ms/ei-buffer-overflow-when-decoding-atoms:
  ei: buffer overflow when decoding atoms

OTP-9072
  • Loading branch information
@psyeugenic
psyeugenic committed Feb 22, 2011
2 parents 91275b0 + 0b9795f commit 7bc8802
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 0 deletions.
2 changes: 2 additions & 0 deletions lib/erl_interface/src/decode/decode_atom.c
View file
Expand Up @@ -31,6 +31,8 @@ int ei_decode_atom(const char *buf, int *index, char *p)

len = get16be(s);

if (len > MAXATOMLEN) return -1;

if (p) {
memmove(p,s,len);
p[len] = (char)0;
Expand Down
2 changes: 2 additions & 0 deletions lib/erl_interface/src/decode/decode_pid.c
View file
Expand Up @@ -33,6 +33,8 @@ int ei_decode_pid(const char *buf, int *index, erlang_pid *p)
if (get8(s) != ERL_ATOM_EXT) return -1;

len = get16be(s);

if (len > MAXATOMLEN) return -1;

if (p) {
memmove(p->node, s, len);
Expand Down
2 changes: 2 additions & 0 deletions lib/erl_interface/src/decode/decode_port.c
View file
Expand Up @@ -34,6 +34,8 @@ int ei_decode_port(const char *buf, int *index, erlang_port *p)

len = get16be(s);

if (len > MAXATOMLEN) return -1;

if (p) {
memmove(p->node, s, len);
p->node[len] = (char)0;
Expand Down
3 changes: 3 additions & 0 deletions lib/erl_interface/src/decode/decode_ref.c
View file
Expand Up @@ -35,6 +35,8 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p)

len = get16be(s);

if (len > MAXATOMLEN) return -1;

if (p) {
memmove(p->node, s, len);
p->node[len] = (char)0;
Expand Down Expand Up @@ -62,6 +64,7 @@ int ei_decode_ref(const char *buf, int *index, erlang_ref *p)
/* then the nodename */
if (get8(s) != ERL_ATOM_EXT) return -1;
len = get16be(s);
if (len > MAXATOMLEN) return -1;

if (p) {
memmove(p->node, s, len);
Expand Down
5 changes: 5 additions & 0 deletions lib/erl_interface/src/misc/ei_decode_term.c
View file
Expand Up @@ -49,6 +49,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term)
return ei_decode_double(buf, index, &term->value.d_val);
case ERL_ATOM_EXT:
len = get16be(s);
if (len > MAXATOMLEN) return -1;
memcpy(term->value.atom_name, s, len);
term->value.atom_name[len] = '\0';
s += len;
Expand All @@ -57,6 +58,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term)
/* first the nodename */
if (get8(s) != ERL_ATOM_EXT) return -1;
len = get16be(s);
if (len > MAXATOMLEN) return -1;
memcpy(term->value.ref.node, s, len);
term->value.ref.node[len] = '\0';
s += len;
Expand All @@ -71,6 +73,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term)
/* then the nodename */
if (get8(s) != ERL_ATOM_EXT) return -1;
len = get16be(s);
if (len > MAXATOMLEN) return -1;
memcpy(term->value.ref.node, s, len);
term->value.ref.node[len] = '\0';
s += len;
Expand All @@ -87,6 +90,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term)
case ERL_PORT_EXT:
if (get8(s) != ERL_ATOM_EXT) return -1;
len = get16be(s);
if (len > MAXATOMLEN) return -1;
memcpy(term->value.port.node, s, len);
term->value.port.node[len] = '\0';
term->value.port.id = get32be(s) & 0x0fffffff; /* 28 bits */;
Expand All @@ -96,6 +100,7 @@ int ei_decode_ei_term(const char* buf, int* index, ei_term* term)
if (get8(s) != ERL_ATOM_EXT) return -1;
/* name first */
len = get16be(s);
if (len > MAXATOMLEN) return -1;
memcpy(term->value.pid.node, s, len);
term->value.pid.node[len] = '\0';
s += len;
Expand Down

0 comments on commit 7bc8802

Please sign in to comment.