forked from pool/corosync
27 lines
1.0 KiB
Diff
27 lines
1.0 KiB
Diff
|
--- corosync-2.4.3.orig/exec/totemcrypto.c 2017-10-20 20:40:19.000000000 +0800
|
||
|
+++ corosync-2.4.3/exec/totemcrypto.c 2018-04-13 13:01:02.864922963 +0800
|
||
|
@@ -736,6 +736,11 @@
|
||
|
unsigned char tmp_hash[hash_len[instance->crypto_hash_type]];
|
||
|
int datalen = *buf_len - hash_len[instance->crypto_hash_type];
|
||
|
|
||
|
+ if (*buf_len <= hash_len[instance->crypto_hash_type]) {
|
||
|
+ log_printf(instance->log_level_security, "Received message is too short... ignoring");
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
|
||
|
return -1;
|
||
|
}
|
||
|
@@ -845,6 +850,11 @@
|
||
|
{
|
||
|
struct crypto_config_header *cch = (struct crypto_config_header *)buf;
|
||
|
|
||
|
+ if (*buf_len <= sizeof(struct crypto_config_header)) {
|
||
|
+ log_printf(instance->log_level_security, "Received message is too short... ignoring");
|
||
|
+ return (-1);
|
||
|
+ }
|
||
|
+
|
||
|
if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
|
||
|
log_printf(instance->log_level_security,
|
||
|
"Incoming packet has different crypto type. Rejecting");
|