File 820.patch of Package corosync

From d5315f96fa502310d7cf722ca4eb9c9f1a7c844d Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Thu, 2 Apr 2026 09:00:39 +0200
Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, the check_memb_commit_token_sanity function correctly
checked the minimum message length. However, if the message was too
short, it incorrectly returned a success code (0) instead of the
expected failure code (-1).

This commit ensures the appropriate error code is returned when the
message length sanity check fails.

Fixes: CVE-2026-35091

Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 exec/totemsrp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index a716ae9fe..372a96d1f 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
 		log_printf (instance->totemsrp_log_level_security,
 		    "Received memb_commit_token message is too short...  ignoring.");
 
-		return (0);
+		return (-1);
 	}
 
-	addr_entries= mct_msg->addr_entries;
+	addr_entries = mct_msg->addr_entries;
 	if (endian_conversion_needed) {
 		addr_entries = swab32(addr_entries);
 	}

From 261a200b6d0b69ddb580a7267f152c163c1f0325 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Thu, 2 Apr 2026 09:44:06 +0200
Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit addresses an integer overflow (wraparound) vulnerability
in the check_memb_join_sanity function.

Previously, the 32-bit unsigned network values proc_list_entries and
failed_list_entries were added together before being promoted to
size_t. This allowed the addition to wrap around in 32-bit arithmetic
(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
calculation that was incorrectly small.

The solution is to cast the list entries to size_t and verify that
neither exceeds the maximum allowed value before the addition occurs.

Fixes: CVE-2026-35092

Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 exec/totemsrp.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 372a96d1f..67596911a 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity(
 		failed_list_entries = swab32(failed_list_entries);
 	}
 
-	required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
+	if (proc_list_entries > PROCESSOR_COUNT_MAX ||
+	    failed_list_entries > PROCESSOR_COUNT_MAX) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received memb_join message list_entries exceeds the maximum "
+		    "allowed value...  ignoring.");
+
+		return (-1);
+	}
+
+	required_len = sizeof(struct memb_join) +
+	  (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
 	if (msg_len < required_len) {
 		log_printf (instance->totemsrp_log_level_security,
 		    "Received memb_join message is too short...  ignoring.");