Reviewed-by: Steven Dake <sdake@xxxxxxxxxx>
On 09/27/2012 04:00 AM, Jan Friesse wrote:
> When ringnumber in config file was set to value bigger or equal to
> INTERFACE_MAX, we are using this big value as index to totemconfig
> interfaces array, resulting to access to invalid memory and segfault.
>
> Instead of that, ringnumber is now checked and proper error message is
> printed if value is too big.
>
> Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
> ---
> exec/totemconfig.c | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/exec/totemconfig.c b/exec/totemconfig.c
> index 8de3243..99dd815 100644
> --- a/exec/totemconfig.c
> +++ b/exec/totemconfig.c
> @@ -364,6 +364,16 @@ printf ("couldn't find totem handle\n");
>
> objdb_get_int (objdb, object_interface_handle, "ringnumber", &ringnumber);
>
> +
> + if (ringnumber >= INTERFACE_MAX) {
> + snprintf (error_string_response, sizeof(error_string_response),
> + "parse error in config: interface ring number %u is bigger then allowed maximum %u\n",
> + ringnumber, INTERFACE_MAX - 1);
> +
> + *error_string = error_string_response;
> + return -1;
> + }
> +
> /*
> * Get interface multicast address
> */
>
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
