Home Explore Help
Sign In
LBP
/
corosync
mirror of https://github.com/corosync/corosync
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

totemsrp: Check join and leave msg length

If number of proc_list, failed_list or active members is too high it
may be impossible to put them into message, which is allocated on the
stack what results in stack corruption.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
Jan Friesse 7 years ago
parent
c139255669
commit
ccb2290f84
1 changed files with 21 additions and 1 deletions
Split View Show Diff Stats
  1. 21 1
      exec/totemsrp.c

+ 21 - 1
exec/totemsrp.c
View File 

@@ -3218,6 +3218,7 @@ static void memb_join_message_send (struct totemsrp_instance *instance)
 
 	struct memb_join *memb_join = (struct memb_join *)memb_join_data;
 
 	char *addr;
 
 	unsigned int addr_idx;
 
+	size_t msg_len;
 
 
 	memb_join->header.magic = TOTEM_MH_MAGIC;
 
 	memb_join->header.version = TOTEM_MH_VERSION;
 
@@ -3226,6 +3227,16 @@ static void memb_join_message_send (struct totemsrp_instance *instance)
 
 	memb_join->header.nodeid = instance->my_id.nodeid;
 
 	assert (memb_join->header.nodeid);
 
 
+	msg_len = sizeof(struct memb_join) +
 
+	    ((instance->my_proc_list_entries + instance->my_failed_list_entries) * sizeof(struct srp_addr));
 
+
 
+	if (msg_len > sizeof(memb_join_data)) {
 
+		log_printf (instance->totemsrp_log_level_error,
 
+			"memb_join_message too long. Ignoring message.");
 
+
 
+		return ;
 
+	}
 
+
 
 	memb_join->ring_seq = instance->my_ring_id.seq;
 
 	memb_join->proc_list_entries = instance->my_proc_list_entries;
 
 	memb_join->failed_list_entries = instance->my_failed_list_entries;
 
@@ -3252,7 +3263,6 @@ static void memb_join_message_send (struct totemsrp_instance *instance)
 
 		instance->my_failed_list_entries *
 
 		sizeof (struct srp_addr);
 
 
-
 
 	if (instance->totem_config->send_join_timeout) {
 
 		usleep (random() % (instance->totem_config->send_join_timeout * 1000));
 
 	}
 
@@ -3273,6 +3283,7 @@ static void memb_leave_message_send (struct totemsrp_instance *instance)
 
 	unsigned int addr_idx;
 
 	int active_memb_entries;
 
 	struct srp_addr active_memb[PROCESSOR_COUNT_MAX];
 
+	size_t msg_len;
 
 
 	log_printf (instance->totemsrp_log_level_debug,
 
 		"sending join/leave message");
 
@@ -3289,6 +3300,15 @@ static void memb_leave_message_send (struct totemsrp_instance *instance)
 
 			   instance->my_proc_list, instance->my_proc_list_entries,
 
 			   &instance->my_id, 1);
 
 
+	msg_len = sizeof(struct memb_join) +
 
+	    ((active_memb_entries + instance->my_failed_list_entries) * sizeof(struct srp_addr));
 
+
 
+	if (msg_len > sizeof(memb_join_data)) {
 
+		log_printf (instance->totemsrp_log_level_error,
 
+			"memb_leave message too long. Ignoring message.");
 
+
 
+		return ;
 
+	}
 
 
 	memb_join->header.magic = TOTEM_MH_MAGIC;
 
 	memb_join->header.version = TOTEM_MH_VERSION;