[Openais] [PATCH 1/7] If totem receives a corrupt message, ignore it (instead of crashing).

angus salkeld angus.salkeld at alliedtelesis.co.nz
Tue Aug 19 11:54:26 PDT 2008


Signed-off-by: Angus Salkeld <angus.salkeld at alliedtelesis.co.nz>
---
 exec/totemsrp.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 173534e..9c01a3c 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3148,6 +3148,7 @@ static int message_handler_orf_token (
 	}
 #endif
 
+
 	if (endian_conversion_needed) {
 		orf_token_endian_convert ((struct orf_token *)msg,
 			(struct orf_token *)token_convert);
@@ -3158,10 +3159,19 @@ static int message_handler_orf_token (
 	 * Make copy of token and retransmit list in case we have
 	 * to flush incoming messages from the kernel queue
 	 */
+	if (msg_len < sizeof (struct orf_token)) {
+		log_printf (instance->totemsrp_log_level_error,
+					"message corrupt.  Length is %d, should be %d\n",
+					msg_len, (sizeof (struct orf_token)));
+		return;
+	}
 	token = (struct orf_token *)token_storage;
 	memcpy (token, msg, sizeof (struct orf_token));
+	if (token->rtr_list_entries > RETRANSMIT_ENTRIES_MAX) {
+		token->rtr_list_entries = RETRANSMIT_ENTRIES_MAX;
+	}
 	memcpy (&token->rtr_list[0], msg + sizeof (struct orf_token),
-		sizeof (struct rtr_item) * RETRANSMIT_ENTRIES_MAX);
+		sizeof (struct rtr_item) * token->rtr_list_entries);
 

 	/*
-- 
1.5.6




More information about the Openais mailing list