Signed-off-by: Angus Salkeld <[EMAIL PROTECTED]>
---
exec/totemsrp.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 173534e..9c01a3c 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3148,6 +3148,7 @@ static int message_handler_orf_token (
}
#endif
+
if (endian_conversion_needed) {
orf_token_endian_convert ((struct orf_token *)msg,
(struct orf_token *)token_convert);
@@ -3158,10 +3159,19 @@ static int message_handler_orf_token (
* Make copy of token and retransmit list in case we have
* to flush incoming messages from the kernel queue
*/
+ if (msg_len < sizeof (struct orf_token)) {
+ log_printf (instance->totemsrp_log_level_error,
+ "message corrupt. Length is %d, should
be %d\n",
+ msg_len, (sizeof (struct orf_token)));
+ return;
+ }
token = (struct orf_token *)token_storage;
memcpy (token, msg, sizeof (struct orf_token));
+ if (token->rtr_list_entries > RETRANSMIT_ENTRIES_MAX) {
+ token->rtr_list_entries = RETRANSMIT_ENTRIES_MAX;
+ }
memcpy (&token->rtr_list[0], msg + sizeof (struct orf_token),
- sizeof (struct rtr_item) * RETRANSMIT_ENTRIES_MAX);
+ sizeof (struct rtr_item) * token->rtr_list_entries);
/*
--
1.5.6
_______________________________________________
Openais mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/openais
