There should never be a message with length less then orf_token? Are
you receiving one? It would indicate a failure in the code somewhere.
The rtr list should never have more then max entries. Do you see this
behavior somewhere?
The third change looks ok.
Can you the other two before committing?
Thanks
-steve
On Wed, 2008-08-20 at 06:54 +1200, angus salkeld wrote:
> Signed-off-by: Angus Salkeld <[EMAIL PROTECTED]>
> ---
> exec/totemsrp.c | 12 +++++++++++-
> 1 files changed, 11 insertions(+), 1 deletions(-)
>
> diff --git a/exec/totemsrp.c b/exec/totemsrp.c
> index 173534e..9c01a3c 100644
> --- a/exec/totemsrp.c
> +++ b/exec/totemsrp.c
> @@ -3148,6 +3148,7 @@ static int message_handler_orf_token (
> }
> #endif
>
> +
> if (endian_conversion_needed) {
> orf_token_endian_convert ((struct orf_token *)msg,
> (struct orf_token *)token_convert);
> @@ -3158,10 +3159,19 @@ static int message_handler_orf_token (
> * Make copy of token and retransmit list in case we have
> * to flush incoming messages from the kernel queue
> */
> + if (msg_len < sizeof (struct orf_token)) {
> + log_printf (instance->totemsrp_log_level_error,
> + "message corrupt. Length is %d, should
> be %d\n",
> + msg_len, (sizeof (struct orf_token)));
> + return;
> + }
> token = (struct orf_token *)token_storage;
> memcpy (token, msg, sizeof (struct orf_token));
> + if (token->rtr_list_entries > RETRANSMIT_ENTRIES_MAX) {
> + token->rtr_list_entries = RETRANSMIT_ENTRIES_MAX;
> + }
> memcpy (&token->rtr_list[0], msg + sizeof (struct orf_token),
> - sizeof (struct rtr_item) * RETRANSMIT_ENTRIES_MAX);
> + sizeof (struct rtr_item) * token->rtr_list_entries);
>
>
> /*
_______________________________________________
Openais mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/openais
