[Openais] [PATCH 1/7] If totem receives a corrupt message, ignore it (instead of crashing).

Steven Dake sdake at redhat.com
Tue Aug 19 16:18:20 PDT 2008


There should never be a message with length less then orf_token?  Are
you receiving one?  It would indicate a failure in the code somewhere.

The rtr list should never have more then max entries.  Do you see this
behavior somewhere?

The third change looks ok.

Can you the other two before committing?

Thanks
-steve

On Wed, 2008-08-20 at 06:54 +1200, angus salkeld wrote:
> Signed-off-by: Angus Salkeld <angus.salkeld at alliedtelesis.co.nz>
> ---
>  exec/totemsrp.c |   12 +++++++++++-
>  1 files changed, 11 insertions(+), 1 deletions(-)
> 
> diff --git a/exec/totemsrp.c b/exec/totemsrp.c
> index 173534e..9c01a3c 100644
> --- a/exec/totemsrp.c
> +++ b/exec/totemsrp.c
> @@ -3148,6 +3148,7 @@ static int message_handler_orf_token (
>  	}
>  #endif
>  
> +
>  	if (endian_conversion_needed) {
>  		orf_token_endian_convert ((struct orf_token *)msg,
>  			(struct orf_token *)token_convert);
> @@ -3158,10 +3159,19 @@ static int message_handler_orf_token (
>  	 * Make copy of token and retransmit list in case we have
>  	 * to flush incoming messages from the kernel queue
>  	 */
> +	if (msg_len < sizeof (struct orf_token)) {
> +		log_printf (instance->totemsrp_log_level_error,
> +					"message corrupt.  Length is %d, should be %d\n",
> +					msg_len, (sizeof (struct orf_token)));
> +		return;
> +	}
>  	token = (struct orf_token *)token_storage;
>  	memcpy (token, msg, sizeof (struct orf_token));
> +	if (token->rtr_list_entries > RETRANSMIT_ENTRIES_MAX) {
> +		token->rtr_list_entries = RETRANSMIT_ENTRIES_MAX;
> +	}
>  	memcpy (&token->rtr_list[0], msg + sizeof (struct orf_token),
> -		sizeof (struct rtr_item) * RETRANSMIT_ENTRIES_MAX);
> +		sizeof (struct rtr_item) * token->rtr_list_entries);
>  
> 
>  	/*



More information about the Openais mailing list