From mboxrd@z Thu Jan 1 00:00:00 1970 From: pcaulfield@sourceware.org Date: 28 Jun 2007 08:07:35 -0000 Subject: [Cluster-devel] cluster/cman/daemon daemon.c Message-ID: <20070628080735.30069.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: cluster Branch: RHEL50 Changes by: pcaulfield at sourceware.org 2007-06-28 08:07:35 Modified files: cman/daemon : daemon.c Log message: Make sure to cleanup the buffer when processing each request or dirty data can be passed from one request to another. Add a barrier to make sure that the socket data are not bigger than the buffer or we overflow somewhere at random. 21:41 #sistina: < feist> pjc: can you commit that first cman security fix to RHEL50, (the rpm has already been built, but it would be nice for tracking purposes). Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/cman/daemon/daemon.c.diff?cvsroot=cluster&only_with_tag=RHEL50&r1=1.32&r2=1.32.4.1 --- cluster/cman/daemon/daemon.c 2006/09/14 13:01:06 1.32 +++ cluster/cman/daemon/daemon.c 2007/06/28 08:07:34 1.32.4.1 @@ -147,6 +147,8 @@ int len; int totallen = 0; + memset(buf, 0, (MAX_CLUSTER_MESSAGE + sizeof(struct sock_header))); + len = read(fd, buf, sizeof(struct sock_header)); P_DAEMON("read %d bytes from fd %d\n", len, fd); @@ -175,6 +177,11 @@ send_status_return(con, msg->command, -EINVAL); return 0; } + if ((msg->length-len) > MAX_CLUSTER_MESSAGE) { + P_DAEMON("message on socket is too big\n"); + send_status_return(con, msg->command, -EINVAL); + return 0; + } totallen = len;