IPC is using buffer of CS_MAX_NAME_LENGTH for name. If user calls function with longer string, such string can be passed to service incomplete. Solution is to not allow string larger then CS_MAX_NAME_LENGTH and return error. Same applies to cpg service. Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx> --- exec/cpg.c | 5 +++++ lib/cpg.c | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 0 deletions(-) diff --git a/exec/cpg.c b/exec/cpg.c index 971e9e7..591e80b 100644 --- a/exec/cpg.c +++ b/exec/cpg.c @@ -1496,6 +1496,11 @@ static void message_handler_req_lib_cpg_join (void *conn, const void *message) } } + if (req_lib_cpg_join->group_name.length > CPG_MAX_NAME_LENGTH) { + error = CS_ERR_NAME_TOO_LONG; + goto response_send; + } + switch (cpd->cpd_state) { case CPD_STATE_UNJOINED: error = CS_OK; diff --git a/lib/cpg.c b/lib/cpg.c index 0c9fa1a..55949f5 100644 --- a/lib/cpg.c +++ b/lib/cpg.c @@ -512,6 +512,10 @@ cs_error_t cpg_join ( struct req_lib_cpg_join req_lib_cpg_join; struct res_lib_cpg_join response; + if (group->length > CPG_MAX_NAME_LENGTH) { + return (CS_ERR_NAME_TOO_LONG); + } + error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst)); if (error != CS_OK) { return (error); @@ -562,6 +566,10 @@ cs_error_t cpg_leave ( struct req_lib_cpg_leave req_lib_cpg_leave; struct res_lib_cpg_leave res_lib_cpg_leave; + if (group->length > CPG_MAX_NAME_LENGTH) { + return (CS_ERR_NAME_TOO_LONG); + } + error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst)); if (error != CS_OK) { return (error); @@ -606,6 +614,9 @@ cs_error_t cpg_membership_get ( struct res_lib_cpg_membership_get res_lib_cpg_membership_get; unsigned int i; + if (group_name->length > CPG_MAX_NAME_LENGTH) { + return (CS_ERR_NAME_TOO_LONG); + } if (member_list == NULL) { return (CS_ERR_INVALID_PARAM); } @@ -982,6 +993,9 @@ cs_error_t cpg_iteration_initialize( struct req_lib_cpg_iterationinitialize req_lib_cpg_iterationinitialize; struct res_lib_cpg_iterationinitialize res_lib_cpg_iterationinitialize; + if (group && group->length > CPG_MAX_NAME_LENGTH) { + return (CS_ERR_NAME_TOO_LONG); + } if (cpg_iteration_handle == NULL) { return (CS_ERR_INVALID_PARAM); } -- 1.7.1 _______________________________________________ discuss mailing list discuss@xxxxxxxxxxxx http://lists.corosync.org/mailman/listinfo/discuss