[PATCH 1/4] totempg: Prevent segfault when msg is too long

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When received message was too long, assembly data was incorrectly
accessed. Solution is to check size.

Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
 exec/totempg.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/exec/totempg.c b/exec/totempg.c
index fe111b1..c5eeea1 100644
--- a/exec/totempg.c
+++ b/exec/totempg.c
@@ -657,8 +657,16 @@ static void totempg_deliver_fn (
 		}
 	}
 
-	memcpy (&assembly->data[assembly->index], &data[datasize],
-		msg_len - datasize);
+	if (assembly->index + msg_len - datasize > MESSAGE_SIZE_MAX) {
+		if (assembly->throw_away_mode != THROW_AWAY_ACTIVE) {
+			log_printf (LOG_ERR, "Received message is too long (longer then %u bytes limit). Throwing away.",
+			    MESSAGE_SIZE_MAX);
+			assembly->throw_away_mode = THROW_AWAY_ACTIVE;
+		}
+	} else {
+		memcpy (&assembly->data[assembly->index], &data[datasize],
+		    msg_len - datasize);
+	}
 
 	/*
 	 * If the last message in the buffer is a fragment, then we
-- 
1.7.1

_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss



[Index of Archives]     [Linux Clusters]     [Corosync Project]     [Linux USB Devel]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Linux Kernel]     [Linux SCSI]     [X.Org]

  Powered by Linux