Index: exec/ipc.c =================================================================== --- exec/ipc.c (revision 2096) +++ exec/ipc.c (revision 2097) @@ -363,6 +363,19 @@ send_ok = 0; } + /* + * This happens when the message contains some kind of invalid + * parameter, such as an invalid size + */ + if (reserved_msgs == -1) { + res_overlay.header.size = + ais_service[conn_info->service]->lib_service[header->id].response_size; + res_overlay.header.id = + ais_service[conn_info->service]->lib_service[header->id].response_id; + res_overlay.header.error = SA_AIS_ERR_INVALID_PARAM; + openais_response_send (conn_info, &res_overlay, + res_overlay.header.size); + } else if (send_ok) { ipc_serialize_lock_fn(); ais_service[conn_info->service]->lib_service[header->id].lib_handler_fn (conn_info, header); @@ -380,7 +393,9 @@ res_overlay.header.size); } - totempg_groups_joined_release (reserved_msgs); + if (reserved_msgs != -1) { + totempg_groups_joined_release (reserved_msgs); + } openais_conn_refcount_dec (conn); } pthread_exit (0); Index: exec/totempg.c =================================================================== --- exec/totempg.c (revision 2096) +++ exec/totempg.c (revision 2097) @@ -144,8 +144,10 @@ static int mcast_packed_msg_count = 0; -static int totempg_reserved = 0; +static int totempg_reserved = 1; +static unsigned int totempg_size_limit; + /* * Function and data used to log messages */ @@ -707,6 +709,8 @@ return (-1); } + totemsrp_net_mtu_adjust (totem_config); + res = totemmrp_initialize ( poll_handle, totem_config, @@ -720,7 +724,9 @@ callback_token_received_fn, 0); - totemsrp_net_mtu_adjust (totem_config); + totempg_size_limit = (totemmrp_avail() - 1) * + (totempg_totem_config->net_mtu - + sizeof (struct totempg_mcast) - 16); return (res); } @@ -779,7 +785,7 @@ } if (byte_count_send_ok (total_size + sizeof(unsigned short) * - (mcast_packed_msg_count+1)) == 0) { + (mcast_packed_msg_count)) == 0) { pthread_mutex_unlock (&mcast_msg_mutex); return(-1); @@ -859,6 +865,9 @@ iovecs[2].iov_len = max_packet_size; assert (totemmrp_avail() > 0); res = totemmrp_mcast (iovecs, 3, guarantee); + if (res == -1) { + goto error_exit; + } /* * Recalculate counts and indexes for the next. @@ -894,6 +903,7 @@ mcast_packed_msg_count++; } +error_exit: pthread_mutex_unlock (&mcast_msg_mutex); return (res); } @@ -906,9 +916,9 @@ { int avail = 0; - avail = totemmrp_avail () - totempg_reserved - 1; + avail = totemmrp_avail (); - return (avail > msg_count); + return ((avail - totempg_reserved) > msg_count); } /* @@ -923,11 +933,11 @@ unsigned int msg_count = 0; int avail = 0; - avail = totemmrp_avail () - 1; + avail = totemmrp_avail (); - msg_count = (byte_count / (totempg_totem_config->net_mtu - 25)) + 1; + msg_count = (byte_count / (totempg_totem_config->net_mtu - sizeof (struct totempg_mcast) - 16)) + 1; - return (avail > msg_count); + return (avail >= msg_count); } static int send_reserve ( @@ -935,7 +945,7 @@ { unsigned int msg_count = 0; - msg_count = (msg_size / (totempg_totem_config->net_mtu - 25)) + 1; + msg_count = (msg_size / (totempg_totem_config->net_mtu - sizeof (struct totempg_mcast) - 16)) + 1; totempg_reserved += msg_count; return (msg_count); @@ -1156,6 +1166,10 @@ for (i = 0; i < iov_len; i++) { size += iovec[i].iov_len; } + if (size >= totempg_size_limit) { + reserved = -1; + goto error_put; + } reserved = send_reserve (size); if (msg_count_send_ok (reserved) == 0) { @@ -1163,6 +1177,7 @@ reserved = 0; } +error_put: hdb_handle_put (&totempg_groups_instance_database, handle); error_exit: Index: lib/util.c =================================================================== --- lib/util.c (revision 2096) +++ lib/util.c (revision 2097) @@ -574,6 +574,9 @@ int req_buffer_idx = 0; for (i = 0; i < iov_len; i++) { + if ((req_buffer_idx + iov[i].iov_len) > REQ_SIZE) { + return (SA_AIS_ERR_INVALID_PARAM); + } memcpy (&ipc_segment->shared_memory->req_buffer[req_buffer_idx], iov[i].iov_base, iov[i].iov_len);