From 2ce202a9d9b93494f4c93e53e19f3ad03153abb9 Mon Sep 17 00:00:00 2001
From: Adam Moody <moody20@llnl.gov>
Date: Thu, 2 Jul 2015 14:07:50 -0700
Subject: [PATCH] avoid potential buffer overrun in mvapich abort message

---
 src/plugins/mpi/mvapich/mvapich.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/plugins/mpi/mvapich/mvapich.c b/src/plugins/mpi/mvapich/mvapich.c
index 913e7935bc3..4f50ce2dd56 100644
--- a/src/plugins/mpi/mvapich/mvapich.c
+++ b/src/plugins/mpi/mvapich/mvapich.c
@@ -1408,8 +1408,31 @@ static void mvapich_wait_for_abort(mvapich_state_t *st)
 			dst = ranks[0];
 			src = ranks[1];
 			fd_read_n (newfd, &msglen, sizeof (int));
-			if (msglen)
+			if (msglen > 0) {
+				/*
+				 * Ensure that we don't overrun our buffer.
+				 */
+				if (msglen > sizeof(msg) - 1)
+					msglen = sizeof(msg) - 1;
+				
 				fd_read_n (newfd, msg, msglen);
+				
+				/*
+				 * Ensure that msg ends with a NULL.
+				 * Note that msglen is at most sizeof(msg)-1
+				 * due to code above.
+				 */
+				msg [ msglen ] = '\0';
+			} else {
+				/*
+				 * We read in a zero or negative message length.
+				 * Set msglen to 0 to indicate that we didn't
+				 * read any message string and ensure msg is
+				 * the empty string.
+				 */
+				msglen = 0;
+				msg [ msglen ] = '\0';
+			}
 		} else {
 			src = ranks[0];
 			dst = -1;
-- 
GitLab