vqsim: Check length of received message

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>

diff --git a/vqsim/vqmain.c b/vqsim/vqmain.c
index aaba512e96d719fe935f05223593f18363349cfb..98729b9e27c0afbcbfe49dc565ed75b0130b7a50 100644 (file)
--- a/vqsim/vqmain.c
+++ b/vqsim/vqmain.c
@@ -222,13 +222,23 @@ static int vq_parent_read_fn(int32_t fd, int32_t revents, void *data)
                msglen = read(fd, msgbuf, sizeof(msgbuf));
                if (msglen < 0) {
                        perror("read failed");
-               }
-
-               if (msglen > 0) {
+               } else if (msglen < sizeof(*msg)) {
+                       fprintf(stderr, "Received message is too short\n");
+               } else {
                        msg = (void*)msgbuf;
                        switch (msg->type) {
                        case VQMSG_QUORUM:
                                qmsg = (void*)msgbuf;
+                               /*
+                                * Check length of message.
+                                * SOCK_SEQPACKET is used so this check is not strictly needed.
+                                */
+                               if (msglen < sizeof(*qmsg) ||
+                                   qmsg->view_list_entries > MAX_NODES ||
+                                   msglen < sizeof(*qmsg) + sizeof(qmsg->view_list[0]) * qmsg->view_list_entries) {
+                                       fprintf(stderr, "Received quorum message is too short or corrupted\n");
+                                       return (0);
+                               }
                                save_quorum_state(vqn, qmsg);
                                if (!sync_cmds) {
                                        print_quorum_state(vqn);