# From https://github.com/corosync/corosync/pull/779
# original patch author: Jan Friesse <jfriesse@redhat.com>
[PATCH] totemsrp: Check size of orf_token msg

orf_token message is stored into preallocated array on endian convert
so carefully crafted malicious message can lead to crash of corosync.

Solution is to check message size beforehand.
diff --color -uNr corosync-2.4.6/exec/totemsrp.c corosync-2.4.6.new/exec/totemsrp.c
--- corosync-2.4.6/exec/totemsrp.c	2022-11-08 23:16:41.000000000 +0800
+++ corosync-2.4.6.new/exec/totemsrp.c	2025-03-26 18:42:58.160044393 +0800
@@ -3730,6 +3730,7 @@
 	const struct totemsrp_instance *instance,
 	const void *msg,
 	size_t msg_len,
+	size_t max_msg_len,
 	int endian_conversion_needed)
 {
 	int rtr_entries;
@@ -3737,6 +3738,14 @@
 	size_t required_len;
 	int i;
 
+	if (msg_len > max_msg_len) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message is too long...  ignoring.");
+
+		return (-1);
+	}
+
+
 	if (msg_len < sizeof(struct orf_token)) {
 		log_printf (instance->totemsrp_log_level_security,
 		    "Received orf_token message is too short...  ignoring.");
@@ -3754,6 +3763,13 @@
 		rtr_entries = token->rtr_list_entries;
 	}
 
+	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+		log_printf (instance->totemsrp_log_level_security,
+		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
+
+		return (-1);
+	}
+
 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
 	if (msg_len < required_len) {
 		log_printf (instance->totemsrp_log_level_security,
@@ -3991,7 +4007,8 @@
 	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
 #endif
 
-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+	    endian_conversion_needed) == -1) {
 		return (0);
 	}