When ringnumber in config file was set to value bigger or equal to INTERFACE_MAX, we are using this big value as index to totemconfig interfaces array, resulting to access to invalid memory and segfault. Instead of that, ringnumber is now checked and proper error message is printed if value is too big. Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx> --- exec/totemconfig.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/exec/totemconfig.c b/exec/totemconfig.c index 8de3243..99dd815 100644 --- a/exec/totemconfig.c +++ b/exec/totemconfig.c @@ -364,6 +364,16 @@ printf ("couldn't find totem handle\n"); objdb_get_int (objdb, object_interface_handle, "ringnumber", &ringnumber); + + if (ringnumber >= INTERFACE_MAX) { + snprintf (error_string_response, sizeof(error_string_response), + "parse error in config: interface ring number %u is bigger then allowed maximum %u\n", + ringnumber, INTERFACE_MAX - 1); + + *error_string = error_string_response; + return -1; + } + /* * Get interface multicast address */ -- 1.7.1 _______________________________________________ discuss mailing list discuss@xxxxxxxxxxxx http://lists.corosync.org/mailman/listinfo/discuss