From mboxrd@z Thu Jan  1 00:00:00 1970
From: pcaulfield@sourceware.org <pcaulfield@sourceware.org>
Date: 21 Jun 2007 07:39:49 -0000
Subject: [Cluster-devel] cluster/cman/daemon daemon.c
Message-ID: <20070621073949.26885.qmail@sourceware.org>
List-Id: <cluster-devel.redhat.com>
To: cluster-devel.redhat.com
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

CVSROOT:	/cvs/cluster
Module name:	cluster
Branch: 	RHEL5
Changes by:	pcaulfield at sourceware.org	2007-06-21 07:39:49

Modified files:
	cman/daemon    : daemon.c 

Log message:
	Patch potential local buffer overflow DoS. Thanks to Fabio Massimo Di Nitto
	bz#244891

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/cman/daemon/daemon.c.diff?cvsroot=cluster&only_with_tag=RHEL5&r1=1.32.2.1&r2=1.32.2.2

--- cluster/cman/daemon/daemon.c	2007/01/08 10:08:48	1.32.2.1
+++ cluster/cman/daemon/daemon.c	2007/06/21 07:39:49	1.32.2.2
@@ -157,6 +157,8 @@
 		int len;
 		int totallen = 0;
 
+		memset(buf, 0, (MAX_CLUSTER_MESSAGE + sizeof(struct sock_header)));
+
 		len = read(fd, buf, sizeof(struct sock_header));
 
 		P_DAEMON("read %d bytes from fd %d\n", len, fd);
@@ -185,6 +187,11 @@
 			send_status_return(con, msg->command, -EINVAL);
 			return 0;
 		}
+		if ((msg->length-len) > MAX_CLUSTER_MESSAGE) {
+			P_DAEMON("message on socket is too big\n");
+			send_status_return(con, msg->command, -EINVAL);
+			return 0;
+		}
 
 		totallen = len;