ACK
On 14/01/15 17:04, Jan Friesse wrote:
When received message was too long, assembly data was incorrectly
accessed. Solution is to check size.
Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
exec/totempg.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/exec/totempg.c b/exec/totempg.c
index fe111b1..c5eeea1 100644
--- a/exec/totempg.c
+++ b/exec/totempg.c
@@ -657,8 +657,16 @@ static void totempg_deliver_fn (
}
}
- memcpy (&assembly->data[assembly->index], &data[datasize],
- msg_len - datasize);
+ if (assembly->index + msg_len - datasize > MESSAGE_SIZE_MAX) {
+ if (assembly->throw_away_mode != THROW_AWAY_ACTIVE) {
+ log_printf (LOG_ERR, "Received message is too long (longer then %u bytes limit). Throwing away.",
+ MESSAGE_SIZE_MAX);
+ assembly->throw_away_mode = THROW_AWAY_ACTIVE;
+ }
+ } else {
+ memcpy (&assembly->data[assembly->index], &data[datasize],
+ msg_len - datasize);
+ }
/*
* If the last message in the buffer is a fragment, then we
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
