--- corosync-2.3.5/exec/totemcrypto.c.orig 2015-07-01 18:15:45.000000000 +0300 +++ corosync-2.3.5/exec/totemcrypto.c 2018-04-14 11:19:20.598726242 +0300 @@ -627,6 +627,11 @@ unsigned char tmp_hash[hash_len[instance->crypto_hash_type]]; int datalen = *buf_len - hash_len[instance->crypto_hash_type]; + if (*buf_len <= hash_len[instance->crypto_hash_type]) { + log_printf(instance->log_level_security, "Received message is too short... ignoring"); + return -1; + } + if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) { return -1; } @@ -736,6 +741,12 @@ { struct crypto_config_header *cch = (struct crypto_config_header *)buf; + if (*buf_len <= sizeof(struct crypto_config_header)) { + log_printf(instance->log_level_security, "Received message is too short... ignoring"); + + return (-1); + } + if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) { log_printf(instance->log_level_security, "Incoming packet has different crypto type. Rejecting");