[PATCH 2/2] cpg: Check input param name_t length

Jan Friesse <jfriesse@xxxxxxxxxx> · Wed, 8 Aug 2012 17:05:10 +0200

IPC is using buffer of CS_MAX_NAME_LENGTH for name. If user calls
function with longer string, such string can be passed to service
incomplete.

Solution is to not allow string larger then CS_MAX_NAME_LENGTH
and return error.

Same applies to cpg service.

Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
 exec/cpg.c |    5 +++++
 lib/cpg.c  |   14 ++++++++++++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/exec/cpg.c b/exec/cpg.c
index 971e9e7..591e80b 100644
--- a/exec/cpg.c
+++ b/exec/cpg.c
@@ -1496,6 +1496,11 @@ static void message_handler_req_lib_cpg_join (void *conn, const void *message)
 		}
 	}
 
+	if (req_lib_cpg_join->group_name.length > CPG_MAX_NAME_LENGTH) {
+		error = CS_ERR_NAME_TOO_LONG;
+		goto response_send;
+	}
+
 	switch (cpd->cpd_state) {
 	case CPD_STATE_UNJOINED:
 		error = CS_OK;
diff --git a/lib/cpg.c b/lib/cpg.c
index 0c9fa1a..55949f5 100644
--- a/lib/cpg.c
+++ b/lib/cpg.c
@@ -512,6 +512,10 @@ cs_error_t cpg_join (
 	struct req_lib_cpg_join req_lib_cpg_join;
 	struct res_lib_cpg_join response;
 
+	if (group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
+
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 	if (error != CS_OK) {
 		return (error);
@@ -562,6 +566,10 @@ cs_error_t cpg_leave (
 	struct req_lib_cpg_leave req_lib_cpg_leave;
 	struct res_lib_cpg_leave res_lib_cpg_leave;
 
+        if (group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+        }
+
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 	if (error != CS_OK) {
 		return (error);
@@ -606,6 +614,9 @@ cs_error_t cpg_membership_get (
 	struct res_lib_cpg_membership_get res_lib_cpg_membership_get;
 	unsigned int i;
 
+	if (group_name->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 	if (member_list == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
@@ -982,6 +993,9 @@ cs_error_t cpg_iteration_initialize(
 	struct req_lib_cpg_iterationinitialize req_lib_cpg_iterationinitialize;
 	struct res_lib_cpg_iterationinitialize res_lib_cpg_iterationinitialize;
 
+	if (group && group->length > CPG_MAX_NAME_LENGTH) {
+		return (CS_ERR_NAME_TOO_LONG);
+	}
 	if (cpg_iteration_handle == NULL) {
 		return (CS_ERR_INVALID_PARAM);
 	}
-- 
1.7.1

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss





