diff options
| author | Raimo Niskanen <raimo@erlang.org> | 2018-09-10 16:43:30 +0200 |
|---|---|---|
| committer | Raimo Niskanen <raimo@erlang.org> | 2018-09-11 15:29:35 +0200 |
| commit | 84e1631071858fdfd04109129c020760bb952362 (patch) | |
| tree | 48220614868ed0ebd0af8ef628a85520cc9eafdf | |
| parent | 6a556ffb979273e84ae00c997cb38086ba9ef2f5 (diff) | |
| download | erlang-84e1631071858fdfd04109129c020760bb952362.tar.gz | |
Fix term buffer overflow bug
| -rw-r--r-- | erts/emulator/drivers/common/inet_drv.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/erts/emulator/drivers/common/inet_drv.c b/erts/emulator/drivers/common/inet_drv.c index f9a471afd5..3478ba7081 100644 --- a/erts/emulator/drivers/common/inet_drv.c +++ b/erts/emulator/drivers/common/inet_drv.c @@ -625,13 +625,14 @@ static size_t my_strnlen(const char *s, size_t maxlen) #endif #ifndef __WIN32__ -/* Calculate CMSG_NXTHDR without having a struct msghdr* +/* Calculate CMSG_NXTHDR without having a struct msghdr*. * CMSG_LEN only caters for alignment for start of data. * To get how much to advance we need to use CMSG_SPACE * on the payload length. To get the payload length we * take the calculated cmsg->cmsg_len and subtract the * header length. To get the header length we use - * CMSG_LEN with payload length 0. + * the pointer difference from the cmsg start pointer + * to the CMSG_DATA(cmsg) pointer. */ #define LEN_CMSG_DATA(cmsg) ((char*)CMSG_DATA(cmsg) - (char*)(cmsg)) #define NXT_CMSG_HDR(cmsg) \ @@ -946,8 +947,13 @@ static size_t my_strnlen(const char *s, size_t maxlen) #ifdef HAVE_SCTP #define PACKET_ERL_DRV_TERM_DATA_LEN 512 #else +#ifndef __WIN32__ +/* Assume we have recvmsg() and might need room for ancillary data */ +#define PACKET_ERL_DRV_TERM_DATA_LEN 64 +#else #define PACKET_ERL_DRV_TERM_DATA_LEN 32 #endif +#endif #define BIN_REALLOC_MARGIN(x) ((x)/4) /* 25% */ @@ -12658,10 +12664,10 @@ static int packet_inet_input(udp_descriptor* udesc, HANDLE event) } } mp = NULL; -#if defined(HAVE_SCTP) +#ifdef HAVE_SCTP if (IS_SCTP(desc)) mp = &mhdr; #endif -#if !defined(__WIN32__) +#ifndef __WIN32__ if (desc->recv_cmsgflags) mp = &mhdr; #endif /* Actual parsing and return of the data received, occur here: */ |