From 005b9af59db5d2ab77b6856e20f2687f20da4590 Mon Sep 17 00:00:00 2001 From: Steven Dake Date: Fri, 30 Apr 2010 05:15:41 +0000 Subject: [PATCH] When a message is retransmitted, a memmove operation is done to remove the newly retransmitted entry from the list. It is possible this memmove operation can buffer overflow because it has an invalid length calculation fixed by this revision. git-svn-id: http://svn.fedorahosted.org/svn/corosync/trunk@2794 fd59a12c-fef9-0310-b244-a6a79926bd2f --- exec/totemsrp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exec/totemsrp.c b/exec/totemsrp.c index 11a59fd8..58faa876 100644 --- a/exec/totemsrp.c +++ b/exec/totemsrp.c @@ -2466,7 +2466,7 @@ static int orf_token_rtr ( orf_token->rtr_list_entries -= 1; assert (orf_token->rtr_list_entries >= 0); memmove (&rtr_list[i], &rtr_list[i + 1], - sizeof (struct rtr_item) * (orf_token->rtr_list_entries)); + sizeof (struct rtr_item) * (orf_token->rtr_list_entries - i)); instance->stats.mcast_retx++; instance->fcc_remcast_current++;