From e430d097b727de920aeb22af0e282678036d8a0d Mon Sep 17 00:00:00 2001
From: Michael Davidsaver <mdavidsaver@gmail.com>
Date: Wed, 3 May 2017 16:42:19 -0400
Subject: [PATCH] ioc/rsrv: bounds check DBR

avoid array overrun when evaluating dbr_size_n() macro.
---
 src/rsrv/camessage.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/rsrv/camessage.c b/src/rsrv/camessage.c
index b3eced22a..df1ce65b2 100644
--- a/src/rsrv/camessage.c
+++ b/src/rsrv/camessage.c
@@ -737,6 +737,10 @@ static int read_notify_action ( caHdrLargeArray *mp, void *pPayload, struct clie
     struct channel_in_use *pciu;
     struct event_ext evext;
 
+    if ( INVALID_DB_REQ(mp->m_dataType) ) {
+        return RSRV_ERROR;
+    }
+
     pciu = MPTOPCIU ( mp );
     if ( !pciu ) {
         logBadId ( client, mp, pPayload );
@@ -1845,6 +1849,10 @@ static int event_add_action (caHdrLargeArray *mp, void *pPayload, struct client
     struct channel_in_use *pciu;
     struct event_ext *pevext;
 
+    if ( INVALID_DB_REQ(mp->m_dataType) ) {
+        return RSRV_ERROR;
+    }
+
     pciu = MPTOPCIU ( mp );
     if ( ! pciu ) {
         logBadId ( client, mp, pPayload );