Overview

File 0011-bsc#1089346-corosync-Integer-overflow-in-totemcrypto.patch of Package corosync.6022

--- corosync-2.4.3.orig/exec/totemcrypto.c	2017-10-20 20:40:19.000000000 +0800
+++ corosync-2.4.3/exec/totemcrypto.c	2018-04-13 13:01:02.864922963 +0800
@@ -736,6 +736,11 @@
 		unsigned char	tmp_hash[hash_len[instance->crypto_hash_type]];
 		int             datalen = *buf_len - hash_len[instance->crypto_hash_type];
 
+		if (*buf_len <= hash_len[instance->crypto_hash_type]) {
+			log_printf(instance->log_level_security, "Received message is too short...  ignoring");
+			return -1;
+		}
+        
 		if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
 			return -1;
 		}
@@ -845,6 +850,11 @@
 {
 	struct crypto_config_header *cch = (struct crypto_config_header *)buf;
 
+	if (*buf_len <= sizeof(struct crypto_config_header)) {
+		log_printf(instance->log_level_security, "Received message is too short...  ignoring");
+		return (-1);
+	}
+    
 	if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
 		log_printf(instance->log_level_security,
 			   "Incoming packet has different crypto type. Rejecting");
openSUSE Build Service is sponsored by
Places