Accueil Explorer Aide
Connexion
LBP
/
corosync
miroir de https://github.com/corosync/corosync
4
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

cpg: Check input param name_t length

IPC is using buffer of CS_MAX_NAME_LENGTH for name. If user calls
function with longer string, such string can be passed to service
incomplete.

Solution is to not allow string larger then CS_MAX_NAME_LENGTH
and return error.

Same applies to cpg service.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>
Jan Friesse il y a 13 ans
Parent
6f6988afff
commit
2d10e2bbea
2 fichiers modifiés avec 19 ajouts et 0 suppressions
Vue unifiée Afficher les stats Diff
  1. 5 0
      exec/cpg.c
  2. 14 0
      lib/cpg.c

+ 5 - 0
exec/cpg.c
Voir le fichier 

@@ -1496,6 +1496,11 @@ static void message_handler_req_lib_cpg_join (void *conn, const void *message)
 
 		}
 
 		}
 
 	}
 
 	}
 
 
 
+	if (req_lib_cpg_join->group_name.length > CPG_MAX_NAME_LENGTH) {
 
+		error = CS_ERR_NAME_TOO_LONG;
 
+		goto response_send;
 
+	}
 
+
 
 	switch (cpd->cpd_state) {
 
 	switch (cpd->cpd_state) {
 
 	case CPD_STATE_UNJOINED:
 
 	case CPD_STATE_UNJOINED:
 
 		error = CS_OK;
 
 		error = CS_OK;

+ 14 - 0
lib/cpg.c
Voir le fichier 

@@ -512,6 +512,10 @@ cs_error_t cpg_join (
 
 	struct req_lib_cpg_join req_lib_cpg_join;
 
 	struct req_lib_cpg_join req_lib_cpg_join;
 
 	struct res_lib_cpg_join response;
 
 	struct res_lib_cpg_join response;
 
 
 
+	if (group->length > CPG_MAX_NAME_LENGTH) {
 
+		return (CS_ERR_NAME_TOO_LONG);
 
+	}
 
+
 
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 
 	if (error != CS_OK) {
 
 	if (error != CS_OK) {
 
 		return (error);
 
 		return (error);
 
@@ -562,6 +566,10 @@ cs_error_t cpg_leave (
 
 	struct req_lib_cpg_leave req_lib_cpg_leave;
 
 	struct req_lib_cpg_leave req_lib_cpg_leave;
 
 	struct res_lib_cpg_leave res_lib_cpg_leave;
 
 	struct res_lib_cpg_leave res_lib_cpg_leave;
 
 
 
+        if (group->length > CPG_MAX_NAME_LENGTH) {
 
+		return (CS_ERR_NAME_TOO_LONG);
 
+        }
 
+
 
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 
 	error = hdb_error_to_cs (hdb_handle_get (&cpg_handle_t_db, handle, (void *)&cpg_inst));
 
 	if (error != CS_OK) {
 
 	if (error != CS_OK) {
 
 		return (error);
 
 		return (error);
 
@@ -606,6 +614,9 @@ cs_error_t cpg_membership_get (
 
 	struct res_lib_cpg_membership_get res_lib_cpg_membership_get;
 
 	struct res_lib_cpg_membership_get res_lib_cpg_membership_get;
 
 	unsigned int i;
 
 	unsigned int i;
 
 
 
+	if (group_name->length > CPG_MAX_NAME_LENGTH) {
 
+		return (CS_ERR_NAME_TOO_LONG);
 
+	}
 
 	if (member_list == NULL) {
 
 	if (member_list == NULL) {
 
 		return (CS_ERR_INVALID_PARAM);
 
 		return (CS_ERR_INVALID_PARAM);
 
 	}
 
 	}
 
@@ -982,6 +993,9 @@ cs_error_t cpg_iteration_initialize(
 
 	struct req_lib_cpg_iterationinitialize req_lib_cpg_iterationinitialize;
 
 	struct req_lib_cpg_iterationinitialize req_lib_cpg_iterationinitialize;
 
 	struct res_lib_cpg_iterationinitialize res_lib_cpg_iterationinitialize;
 
 	struct res_lib_cpg_iterationinitialize res_lib_cpg_iterationinitialize;
 
 
 
+	if (group && group->length > CPG_MAX_NAME_LENGTH) {
 
+		return (CS_ERR_NAME_TOO_LONG);
 
+	}
 
 	if (cpg_iteration_handle == NULL) {
 
 	if (cpg_iteration_handle == NULL) {
 
 		return (CS_ERR_INVALID_PARAM);
 
 		return (CS_ERR_INVALID_PARAM);
 
 	}
 
 	}