From 90181d3dd19e6c9c75b7623f6b9893facde044d3 Mon Sep 17 00:00:00 2001
From: Steven Dake <sdake@redhat.com>
Date: Mon, 26 Sep 2005 21:27:57 +0000
Subject: [PATCH] defect 897 fix new_message_queue can be overwritten

git-svn-id: http://svn.fedorahosted.org/svn/corosync/trunk@825 fd59a12c-fef9-0310-b244-a6a79926bd2f
---
 exec/totempg.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/exec/totempg.c b/exec/totempg.c
index 24251d5f..63fe4b7b 100644
--- a/exec/totempg.c
+++ b/exec/totempg.c
@@ -172,7 +172,7 @@ int assembly_list_entries = 0;
  * fragment_contuation indicates whether the first packed message in 
  * the buffer is a continuation of a previously packed fragment.
  */
-static unsigned char fragmentation_data[MESSAGE_SIZE_MAX];
+static unsigned char *fragmentation_data;
 int fragment_size = 0;
 int fragment_continuation = 0;
 
@@ -478,6 +478,11 @@ int totempg_initialize (
 
 	totempg_totem_config = totem_config;
 
+	fragmentation_data = malloc (TOTEMPG_PACKET_SIZE);
+	if (fragmentation_data == 0) {
+		return (-1);
+	}
+
 	res = totemmrp_initialize (
 		poll_handle,
 		totemsrp_handle,
@@ -527,10 +532,19 @@ int totempg_mcast (
 
 	mcast_packed_msg_lens[mcast_packed_msg_count] = 0;
 
+	/*
+	 * Check if we would overwrite new message queue
+	 */
 	for (i = 0; i < iov_len; i++) {
 		total_size += iovec[i].iov_len;
 	}
 
+	if( totempg_send_ok (total_size + sizeof(unsigned short) *
+		(mcast_packed_msg_count+1)) == 0) {
+
+		return(-1);
+	}
+
 	for (i = 0; i < iov_len; ) {
 		mcast.fragmented = 0;
 		mcast.continuation = fragment_continuation;