[PATCH] flatiron cpg: Check input param name_t length

Jan Friesse <jfriesse@xxxxxxxxxx> · Wed, 8 Aug 2012 17:05:11 +0200

IPC is using buffer of CS_MAX_NAME_LENGTH for name. If user calls
function with longer string, such string can be passed to service
incomplete.

Solution is to not allow string larger then CS_MAX_NAME_LENGTH
and return error.

Same applies to cpg service.

Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
(cherry picked from commit 7d29498828b3d6b9ff8775fc8f06d84507023472)
---
 lib/cpg.c      |   14 ++++++++++++++
 services/cpg.c |    5 +++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/lib/cpg.c b/lib/cpg.c
index f61efde..5e86fee 100644
--- a/lib/cpg.c
+++ b/lib/cpg.c
@@ -483,6 +483,10 @@ cs_error_t cpg_join (
 	struct req_lib_cpg_join req_lib_cpg_join;
 	struct res_lib_cpg_join res_lib_cpg_join;
 
+	if (group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
+
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 	if (error != CS_OK) {
 		return (error);
@@ -533,6 +537,10 @@ cs_error_t cpg_leave (
 	struct req_lib_cpg_leave req_lib_cpg_leave;
 	struct res_lib_cpg_leave res_lib_cpg_leave;
 
+        if (group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+        }
+
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 	if (error != CS_OK) {
 		return (error);
@@ -577,6 +585,9 @@ cs_error_t cpg_membership_get (
 	struct res_lib_cpg_membership_get res_lib_cpg_membership_get;
 	unsigned int i;
 
+	if (group_name->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 	if (member_list == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
@@ -830,6 +841,9 @@ cs_error_t cpg_iteration_initialize(
 	struct req_lib_cpg_iterationinitialize req_lib_cpg_iterationinitialize;
 	struct res_lib_cpg_iterationinitialize res_lib_cpg_iterationinitialize;
 
+	if (group && group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 	if (cpg_iteration_handle == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
diff --git a/services/cpg.c b/services/cpg.c
index aac7a90..885a9c6 100644
--- a/services/cpg.c
+++ b/services/cpg.c
@@ -1331,6 +1331,11 @@ static void message_handler_req_lib_cpg_join (void *conn, const void *message)
 		}
 	}
 
+	if (req_lib_cpg_join->group_name.length > CPG_MAX_NAME_LENGTH) {
+		error = CS_ERR_NAME_TOO_LONG;
+		goto response_send;
+	}
+
 	switch (cpd->cpd_state) {
 	case CPD_STATE_UNJOINED:
 		error = CPG_OK;
-- 
1.7.1

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss





