diff --git a/ctdb/protocol/protocol_call.c b/ctdb/protocol/protocol_call.c index a2b24cf0843..2dbd309317b 100644 --- a/ctdb/protocol/protocol_call.c +++ b/ctdb/protocol/protocol_call.c @@ -123,6 +123,15 @@ int ctdb_req_call_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->keylen > buflen || wire->calldatalen > buflen) { + return EMSGSIZE; + } + if (length + wire->keylen < length) { + return EMSGSIZE; + } + if (length + wire->keylen + wire->calldatalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->keylen + wire->calldatalen) { return EMSGSIZE; } @@ -197,6 +206,12 @@ int ctdb_reply_call_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->datalen) { return EMSGSIZE; } @@ -262,6 +277,12 @@ int ctdb_reply_error_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->msglen > buflen) { + return EMSGSIZE; + } + if (length + wire->msglen < length) { + return EMSGSIZE; + } if (buflen < length + wire->msglen) { return EMSGSIZE; } @@ -331,6 +352,15 @@ int ctdb_req_dmaster_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->keylen > buflen || wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->keylen < length) { + return EMSGSIZE; + } + if (length + wire->keylen + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->keylen + wire->datalen) { return EMSGSIZE; } @@ -408,6 +438,15 @@ int ctdb_reply_dmaster_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->keylen > buflen || wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->keylen < length) { + return EMSGSIZE; + } + if (length + wire->keylen + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->keylen + wire->datalen) { return EMSGSIZE; } diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c index f1c03ae3fd2..dff3f2be9ec 100644 --- a/ctdb/protocol/protocol_control.c +++ b/ctdb/protocol/protocol_control.c @@ -1924,6 +1924,12 @@ int ctdb_req_control_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->datalen) { return EMSGSIZE; } @@ -2005,6 +2011,15 @@ int ctdb_reply_control_pull(uint8_t *buf, size_t buflen, uint32_t opcode, if (buflen < length) { return EMSGSIZE; } + if (wire->datalen > buflen || wire->errorlen > buflen) { + return EMSGSIZE; + } + if (length + wire->datalen < length) { + return EMSGSIZE; + } + if (length + wire->datalen + wire->errorlen < length) { + return EMSGSIZE; + } if (buflen < length + wire->datalen + wire->errorlen) { return EMSGSIZE; } diff --git a/ctdb/protocol/protocol_message.c b/ctdb/protocol/protocol_message.c index 291ebe6f679..3188c0ef5a8 100644 --- a/ctdb/protocol/protocol_message.c +++ b/ctdb/protocol/protocol_message.c @@ -325,6 +325,12 @@ int ctdb_req_message_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->datalen) { return EMSGSIZE; } @@ -387,6 +393,12 @@ int ctdb_req_message_data_pull(uint8_t *buf, size_t buflen, if (buflen < length) { return EMSGSIZE; } + if (wire->datalen > buflen) { + return EMSGSIZE; + } + if (length + wire->datalen < length) { + return EMSGSIZE; + } if (buflen < length + wire->datalen) { return EMSGSIZE; }