cpg: Check cpg zc buffer path name length

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>

include/corosync/ipc_cpg.h

@@ -40,6 +40,8 @@
 #include <corosync/corotypes.h>
 #include <corosync/mar_gen.h>
 
+#define CPG_ZC_PATH_LEN				128
+
 enum req_cpg_types {
 	MESSAGE_REQ_CPG_JOIN = 0,
 	MESSAGE_REQ_CPG_LEAVE = 1,
@@ -298,7 +300,7 @@ struct res_lib_cpg_iterationfinalize {
 typedef struct {
         struct qb_ipc_request_header header __attribute__((aligned(8)));
         size_t map_size __attribute__((aligned(8)));
-        char path_to_file[128] __attribute__((aligned(8)));
+        char path_to_file[CPG_ZC_PATH_LEN] __attribute__((aligned(8)));
 } mar_req_coroipcc_zc_alloc_t __attribute__((aligned(8)));
 
 typedef struct {

lib/cpg.c

@@ -823,6 +823,12 @@ cs_error_t cpg_zcb_alloc (
 	map_size = size + sizeof (struct req_lib_cpg_mcast) + sizeof (struct coroipcs_zc_header);
 	assert(memory_map (path, "corosync_zerocopy-XXXXXX", &buf, map_size) != -1);
 
+	if (strlen(path) >= CPG_ZC_PATH_LEN) {
+		unlink(path);
+		munmap (buf, map_size);
+		return (CS_ERR_NAME_TOO_LONG);
+	}
+
 	req_coroipcc_zc_alloc.header.size = sizeof (mar_req_coroipcc_zc_alloc_t);
 	req_coroipcc_zc_alloc.header.id = MESSAGE_REQ_CPG_ZC_ALLOC;
 	req_coroipcc_zc_alloc.map_size = map_size;