When received message was too long, assembly data was incorrectly accessed. Solution is to check size.
Signed-off-by: Jan Friesse <[email protected]> --- exec/totempg.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/exec/totempg.c b/exec/totempg.c index fe111b1..c5eeea1 100644 --- a/exec/totempg.c +++ b/exec/totempg.c @@ -657,8 +657,16 @@ static void totempg_deliver_fn ( } } - memcpy (&assembly->data[assembly->index], &data[datasize], - msg_len - datasize); + if (assembly->index + msg_len - datasize > MESSAGE_SIZE_MAX) { + if (assembly->throw_away_mode != THROW_AWAY_ACTIVE) { + log_printf (LOG_ERR, "Received message is too long (longer then %u bytes limit). Throwing away.", + MESSAGE_SIZE_MAX); + assembly->throw_away_mode = THROW_AWAY_ACTIVE; + } + } else { + memcpy (&assembly->data[assembly->index], &data[datasize], + msg_len - datasize); + } /* * If the last message in the buffer is a fragment, then we -- 1.7.1 _______________________________________________ discuss mailing list [email protected] http://lists.corosync.org/mailman/listinfo/discuss
