Re: [PATCH 1/1] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
On 9/3/2014 8:00 AM, micha...@cs.wisc.edu wrote:
From: Mike Christie micha...@cs.wisc.edu
This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
This function is used by iscsi drivers and userspace to send iscsi PDUs/
commands. For login commands, we have a set buffer size. For all other
commands we do not support data buffers.
This was reported by Dan Carpenter here:
http://www.spinics.net/lists/linux-scsi/msg66838.html
Reported-by: Dan Carpenter dan.carpen...@oracle.com
Signed-off-by: Mike Christie micha...@cs.wisc.edu
---
drivers/scsi/libiscsi.c | 10 ++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index ea025e4..191b597 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct
iscsi_hdr *hdr,
return NULL;
}
+ if (data_size ISCSI_DEF_MAX_RECV_SEG_LEN) {
+ iscsi_conn_printk(KERN_ERR, conn, Invalid buffer len of %u
for login task. Max len is %u\n, data_size, ISCSI_DEF_MAX_RECV_SEG_LEN);
+ return NULL;
+ }
+
task = conn-login_task;
} else {
if (session-state != ISCSI_STATE_LOGGED_IN)
return NULL;
+ if (data_size != 0) {
+ iscsi_conn_printk(KERN_ERR, conn, Can not send data buffer
of len %u for op 0x%x\n, data_size, opcode);
+ return NULL;
+ }
+
BUG_ON(conn-c_stage == ISCSI_CONN_INITIAL_STAGE);
BUG_ON(conn-c_stage == ISCSI_CONN_STOPPED);
Looks good to me too,
Reviewed-by: Sagi Grimberg sa...@mellanox.com
--
To unsubscribe from this list: send the line unsubscribe linux-scsi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/1] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
From: Mike Christie micha...@cs.wisc.edu
This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
This function is used by iscsi drivers and userspace to send iscsi PDUs/
commands. For login commands, we have a set buffer size. For all other
commands we do not support data buffers.
This was reported by Dan Carpenter here:
http://www.spinics.net/lists/linux-scsi/msg66838.html
Reported-by: Dan Carpenter dan.carpen...@oracle.com
Signed-off-by: Mike Christie micha...@cs.wisc.edu
---
drivers/scsi/libiscsi.c | 10 ++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index ea025e4..191b597 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct
iscsi_hdr *hdr,
return NULL;
}
+ if (data_size ISCSI_DEF_MAX_RECV_SEG_LEN) {
+ iscsi_conn_printk(KERN_ERR, conn, Invalid buffer len
of %u for login task. Max len is %u\n, data_size, ISCSI_DEF_MAX_RECV_SEG_LEN);
+ return NULL;
+ }
+
task = conn-login_task;
} else {
if (session-state != ISCSI_STATE_LOGGED_IN)
return NULL;
+ if (data_size != 0) {
+ iscsi_conn_printk(KERN_ERR, conn, Can not send data
buffer of len %u for op 0x%x\n, data_size, opcode);
+ return NULL;
+ }
+
BUG_ON(conn-c_stage == ISCSI_CONN_INITIAL_STAGE);
BUG_ON(conn-c_stage == ISCSI_CONN_STOPPED);
--
1.7.1
--
To unsubscribe from this list: send the line unsubscribe linux-scsi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: potential buffer overrun in __iscsi_conn_send_pdu()
I never heard back on this. It still looks like a very serious bug
with security implications etc.
regards,
dan carpenter
On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
My static checker complains about a possible array overflow in
__iscsi_conn_send_pdu().
drivers/scsi/libiscsi.c
743 if (data_size) {
744 memcpy(task-data, data, data_size);
745 task-data_count = data_size;
746 } else
747 task-data_count = 0;
748
data_size comes from skb-data and we haven't checked that it is less
than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
The call tree is:
iscsi_if_recv_msg()
iscsi_conn_send_pdu()
__iscsi_conn_send_pdu()
I'm a newbie to this code, so I'm not sure if this is a real bug or not.
regards,
dan carpenter
--
To unsubscribe from this list: send the line unsubscribe linux-scsi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: potential buffer overrun in __iscsi_conn_send_pdu()
On 9/1/14, 1:06 PM, Dan Carpenter wrote:
I never heard back on this. It still looks like a very serious bug
with security implications etc.
Sorry about that. I must have missed the original. You are right. I
should have a tested patch by tomorrow.
regards,
dan carpenter
On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
My static checker complains about a possible array overflow in
__iscsi_conn_send_pdu().
drivers/scsi/libiscsi.c
743 if (data_size) {
744 memcpy(task-data, data, data_size);
745 task-data_count = data_size;
746 } else
747 task-data_count = 0;
748
data_size comes from skb-data and we haven't checked that it is less
than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
The call tree is:
iscsi_if_recv_msg()
iscsi_conn_send_pdu()
__iscsi_conn_send_pdu()
I'm a newbie to this code, so I'm not sure if this is a real bug or not.
regards,
dan carpenter
--
To unsubscribe from this list: send the line unsubscribe linux-scsi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
potential buffer overrun in __iscsi_conn_send_pdu()
My static checker complains about a possible array overflow in
__iscsi_conn_send_pdu().
drivers/scsi/libiscsi.c
743 if (data_size) {
744 memcpy(task-data, data, data_size);
745 task-data_count = data_size;
746 } else
747 task-data_count = 0;
748
data_size comes from skb-data and we haven't checked that it is less
than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
The call tree is:
iscsi_if_recv_msg()
iscsi_conn_send_pdu()
__iscsi_conn_send_pdu()
I'm a newbie to this code, so I'm not sure if this is a real bug or not.
regards,
dan carpenter
--
To unsubscribe from this list: send the line unsubscribe linux-scsi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
