When a message is retransmitted, a memmove operation is done to remove the

newly retransmitted entry from the list.  It is possible this memmove operation
can buffer overflow because it has an invalid length calculation fixed by this
revision.


git-svn-id: http://svn.fedorahosted.org/svn/corosync/trunk@2794 fd59a12c-fef9-0310-b244-a6a79926bd2f

exec/totemsrp.c

@@ -2466,7 +2466,7 @@ static int orf_token_rtr (
 			orf_token->rtr_list_entries -= 1;
 			assert (orf_token->rtr_list_entries >= 0);
 			memmove (&rtr_list[i], &rtr_list[i + 1],
-				sizeof (struct rtr_item) * (orf_token->rtr_list_entries));
+				sizeof (struct rtr_item) * (orf_token->rtr_list_entries - i));
 
 			instance->stats.mcast_retx++;
 			instance->fcc_remcast_current++;