Quantcast
Erlang Erlang Patches

[PATCH] ei: integer overflow in string/atom encoding

classic Classic list List threaded Threaded
2 messages Options
Michael Santos-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[PATCH] ei: integer overflow in string/atom encoding

Michael Santos-2
ei_encode_atom() and ei_encode_string() use strlen() to get the length
of the buffer. As strlen() returns an unsigned long long and both ei
functions take a signed integer, the length fields may overflow.

Check the results of strlen can be held in a signed integer.
---
 lib/erl_interface/src/encode/encode_atom.c   |    6 +++++-
 lib/erl_interface/src/encode/encode_string.c |    6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/erl_interface/src/encode/encode_atom.c b/lib/erl_interface/src/encode/encode_atom.c
index 69f2d14..b1a4479 100644
--- a/lib/erl_interface/src/encode/encode_atom.c
+++ b/lib/erl_interface/src/encode/encode_atom.c
@@ -17,13 +17,17 @@
  * %CopyrightEnd%
  */
 #include <string.h>
+#include <limits.h>
 #include "eidef.h"
 #include "eiext.h"
 #include "putget.h"
 
 int ei_encode_atom(char *buf, int *index, const char *p)
 {
-    return ei_encode_atom_len(buf, index, p, strlen(p));
+    size_t len = strlen(p);
+
+    if (len >= INT_MAX) return -1;
+    return ei_encode_atom_len(buf, index, p, len);
 }
 
 int ei_encode_atom_len(char *buf, int *index, const char *p, int len)
diff --git a/lib/erl_interface/src/encode/encode_string.c b/lib/erl_interface/src/encode/encode_string.c
index 1d342cb..593bbf2 100644
--- a/lib/erl_interface/src/encode/encode_string.c
+++ b/lib/erl_interface/src/encode/encode_string.c
@@ -17,6 +17,7 @@
  * %CopyrightEnd%
  */
 #include <string.h>
+#include <limits.h>
 #include "eidef.h"
 #include "eiext.h"
 #include "putget.h"
@@ -24,7 +25,10 @@
 
 int ei_encode_string(char *buf, int *index, const char *p)
 {
-    return ei_encode_string_len(buf, index, p, strlen(p));
+    size_t len = strlen(p);
+
+    if (len >= INT_MAX) return -1;
+    return ei_encode_string_len(buf, index, p, len);
 }
 
 int ei_encode_string_len(char *buf, int *index, const char *p, int len)
--
1.7.0.4

_______________________________________________
erlang-patches mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-patches
Raimo Niskanen-5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: [PATCH] ei: integer overflow in string/atom encoding

Raimo Niskanen-5
On Mon, Jun 06, 2011 at 10:55:19AM -0400, Michael Santos wrote:
> ei_encode_atom() and ei_encode_string() use strlen() to get the length
> of the buffer. As strlen() returns an unsigned long long and both ei
> functions take a signed integer, the length fields may overflow.
>
> Check the results of strlen can be held in a signed integer.

Thank you. I have included your patch into 'pu'.

--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB
_______________________________________________
erlang-patches mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-patches
Loading...
Powered by Nabble Edit this page