From 6d54af2c4803c58ba3bbb9391323a381162b6c43 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 17 2018 14:53:56 +0000
Subject: import corosync-2.4.3-2.el7_5.1


---

diff --git a/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch b/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch
new file mode 100644
index 0000000..d574436
--- /dev/null
+++ b/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch
@@ -0,0 +1,48 @@
+From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Fri, 6 Apr 2018 14:43:02 +0200
+Subject: [PATCH] totemcrypto: Check length of the packet
+
+Packet has to be longer than crypto_config_header and hash_len,
+otherwise unallocated memory is passed into calculate_nss_hash function,
+what may result in crash.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Raphael Sanchez Prudencio <rasanche@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemcrypto.c |   11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
+index 64246c9..88c68d1 100644
+--- a/exec/totemcrypto.c
++++ b/exec/totemcrypto.c
+@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 (
+ 		unsigned char	tmp_hash[hash_len[instance->crypto_hash_type]];
+ 		int             datalen = *buf_len - hash_len[instance->crypto_hash_type];
+ 
++		if (*buf_len <= hash_len[instance->crypto_hash_type]) {
++			log_printf(instance->log_level_security, "Received message is too short...  ignoring");
++			return -1;
++		}
++
+ 		if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
+ 			return -1;
+ 		}
+@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
+ {
+ 	struct crypto_config_header *cch = (struct crypto_config_header *)buf;
+ 
++	if (*buf_len <= sizeof(struct crypto_config_header)) {
++		log_printf(instance->log_level_security, "Received message is too short...  ignoring");
++
++		return (-1);
++	}
++
+ 	if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
+ 		log_printf(instance->log_level_security,
+ 			   "Incoming packet has different crypto type. Rejecting");
+-- 
+1.7.1
+
diff --git a/SPECS/corosync.spec b/SPECS/corosync.spec
index c1add45..4c30c0f 100644
--- a/SPECS/corosync.spec
+++ b/SPECS/corosync.spec
@@ -24,7 +24,7 @@
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 2.4.3
-Release: 2%{?gitver}%{?dist}
+Release: 2%{?gitver}%{?dist}.1
 License: BSD
 Group: System Environment/Base
 URL: http://corosync.github.io/corosync/
@@ -32,6 +32,7 @@ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?git
 
 Patch0: bz1536219-1-logging-Make-blackbox-configurable.patch
 Patch1: bz1536219-2-logging-Close-before-and-open-blackbox-after-fork.patch
+Patch2: bz1560467-1-totemcrypto-Check-length-of-the-packet.patch
 
 %if 0%{?rhel}
 ExclusiveArch: i686 x86_64 s390x ppc64le
@@ -91,6 +92,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 %setup -q -n %{name}-%{version}%{?gittarver}
 %patch0 -p1 -b .bz1536219-1
 %patch1 -p1 -b .bz1536219-2
+%patch2 -p1 -b .bz1560467-1
 
 %build
 %if %{with runautogen}
@@ -522,6 +524,11 @@ fi
 %endif
 
 %changelog
+* Fri Apr 06 2018 Jan Friesse <jfriesse@redhat.com> 2.4.3-2.1
+- Resolves: rhbz#1560467
+
+- totemcrypto: Check length of the packet
+
 * Mon Feb 05 2018 Jan Friesse <jfriesse@redhat.com> 2.4.3-2
 - Resolves: rhbz#1536219