From ea7d0a01337dd3849bee9a2719d4ccf54adf5c29 Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Mon, 24 Mar 2025 12:05:08 +0100 Subject: [PATCH] totemsrp: Check size of orf_token msg orf_token message is stored into preallocated array on endian convert so carefully crafted malicious message can lead to crash of corosync. Solution is to check message size beforehand. Signed-off-by: Jan Friesse --- exec/totemsrp.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/exec/totemsrp.c b/exec/totemsrp.c index 962d0e2a7..364528ce1 100644 --- a/exec/totemsrp.c +++ b/exec/totemsrp.c @@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( const struct totemsrp_instance *instance, const void *msg, size_t msg_len, + size_t max_msg_len, int endian_conversion_needed) { int rtr_entries; const struct orf_token *token = (const struct orf_token *)msg; size_t required_len; + if (msg_len > max_msg_len) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too long... ignoring."); + + return (-1); + } + if (msg_len < sizeof(struct orf_token)) { log_printf (instance->totemsrp_log_level_security, "Received orf_token message is too short... ignoring."); @@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( rtr_entries = token->rtr_list_entries; } + if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message rtr_entries is corrupted... ignoring."); + + return (-1); + } + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); if (msg_len < required_len) { log_printf (instance->totemsrp_log_level_security, @@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); #endif - if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { + if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), + endian_conversion_needed) == -1) { return (0); }