Index: exec/ipc.c
===================================================================
--- exec/ipc.c (revision 2096)
+++ exec/ipc.c (revision 2097)
@@ -363,6 +363,19 @@
send_ok = 0;
}
+ /*
+ * This happens when the message contains some kind of invalid
+ * parameter, such as an invalid size
+ */
+ if (reserved_msgs == -1) {
+ res_overlay.header.size =
+ ais_service[conn_info->service]->lib_service[header->id].response_size;
+ res_overlay.header.id =
+ ais_service[conn_info->service]->lib_service[header->id].response_id;
+ res_overlay.header.error = SA_AIS_ERR_INVALID_PARAM;
+ openais_response_send (conn_info, &res_overlay,
+ res_overlay.header.size);
+ } else
if (send_ok) {
ipc_serialize_lock_fn();
ais_service[conn_info->service]->lib_service[header->id].lib_handler_fn (conn_info, header);
@@ -380,7 +393,9 @@
res_overlay.header.size);
}
- totempg_groups_joined_release (reserved_msgs);
+ if (reserved_msgs != -1) {
+ totempg_groups_joined_release (reserved_msgs);
+ }
openais_conn_refcount_dec (conn);
}
pthread_exit (0);
Index: exec/totempg.c
===================================================================
--- exec/totempg.c (revision 2096)
+++ exec/totempg.c (revision 2097)
@@ -144,8 +144,10 @@
static int mcast_packed_msg_count = 0;
-static int totempg_reserved = 0;
+static int totempg_reserved = 1;
+static unsigned int totempg_size_limit;
+
/*
* Function and data used to log messages
*/
@@ -707,6 +709,8 @@
return (-1);
}
+ totemsrp_net_mtu_adjust (totem_config);
+
res = totemmrp_initialize (
poll_handle,
totem_config,
@@ -720,7 +724,9 @@
callback_token_received_fn,
0);
- totemsrp_net_mtu_adjust (totem_config);
+ totempg_size_limit = (totemmrp_avail() - 1) *
+ (totempg_totem_config->net_mtu -
+ sizeof (struct totempg_mcast) - 16);
return (res);
}
@@ -779,7 +785,7 @@
}
if (byte_count_send_ok (total_size + sizeof(unsigned short) *
- (mcast_packed_msg_count+1)) == 0) {
+ (mcast_packed_msg_count)) == 0) {
pthread_mutex_unlock (&mcast_msg_mutex);
return(-1);
@@ -859,6 +865,9 @@
iovecs[2].iov_len = max_packet_size;
assert (totemmrp_avail() > 0);
res = totemmrp_mcast (iovecs, 3, guarantee);
+ if (res == -1) {
+ goto error_exit;
+ }
/*
* Recalculate counts and indexes for the next.
@@ -894,6 +903,7 @@
mcast_packed_msg_count++;
}
+error_exit:
pthread_mutex_unlock (&mcast_msg_mutex);
return (res);
}
@@ -906,9 +916,9 @@
{
int avail = 0;
- avail = totemmrp_avail () - totempg_reserved - 1;
+ avail = totemmrp_avail ();
- return (avail > msg_count);
+ return ((avail - totempg_reserved) > msg_count);
}
/*
@@ -923,11 +933,11 @@
unsigned int msg_count = 0;
int avail = 0;
- avail = totemmrp_avail () - 1;
+ avail = totemmrp_avail ();
- msg_count = (byte_count / (totempg_totem_config->net_mtu - 25)) + 1;
+ msg_count = (byte_count / (totempg_totem_config->net_mtu - sizeof (struct totempg_mcast) - 16)) + 1;
- return (avail > msg_count);
+ return (avail >= msg_count);
}
static int send_reserve (
@@ -935,7 +945,7 @@
{
unsigned int msg_count = 0;
- msg_count = (msg_size / (totempg_totem_config->net_mtu - 25)) + 1;
+ msg_count = (msg_size / (totempg_totem_config->net_mtu - sizeof (struct totempg_mcast) - 16)) + 1;
totempg_reserved += msg_count;
return (msg_count);
@@ -1156,6 +1166,10 @@
for (i = 0; i < iov_len; i++) {
size += iovec[i].iov_len;
}
+ if (size >= totempg_size_limit) {
+ reserved = -1;
+ goto error_put;
+ }
reserved = send_reserve (size);
if (msg_count_send_ok (reserved) == 0) {
@@ -1163,6 +1177,7 @@
reserved = 0;
}
+error_put:
hdb_handle_put (&totempg_groups_instance_database, handle);
error_exit:
Index: lib/util.c
===================================================================
--- lib/util.c (revision 2096)
+++ lib/util.c (revision 2097)
@@ -574,6 +574,9 @@
int req_buffer_idx = 0;
for (i = 0; i < iov_len; i++) {
+ if ((req_buffer_idx + iov[i].iov_len) > REQ_SIZE) {
+ return (SA_AIS_ERR_INVALID_PARAM);
+ }
memcpy (&ipc_segment->shared_memory->req_buffer[req_buffer_idx],
iov[i].iov_base,
iov[i].iov_len);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
58cebef081c94cb5f88b9fe2fbddfdc8
>
files
>
29
