Merge trunk revision 2794:

r2794 | sdake | 2010-04-29 22:15:41 -0700 (Thu, 29 Apr 2010) | 5 lines

When a message is retransmitted, a memmove operation is done to remove the
newly retransmitted entry from the list.  It is possible this memmove operation
can buffer overflow because it has an invalid length calculation fixed by this
revision.



git-svn-id: http://svn.fedorahosted.org/svn/corosync/branches/flatiron@2864 fd59a12c-fef9-0310-b244-a6a79926bd2f

exec/totemsrp.c

@@ -2466,7 +2466,7 @@ static int orf_token_rtr (
 			orf_token->rtr_list_entries -= 1;
 			assert (orf_token->rtr_list_entries >= 0);
 			memmove (&rtr_list[i], &rtr_list[i + 1],
-				sizeof (struct rtr_item) * (orf_token->rtr_list_entries));
+				sizeof (struct rtr_item) * (orf_token->rtr_list_entries - i));
 
 			instance->stats.mcast_retx++;
 			instance->fcc_remcast_current++;