Hi! May I ask the related question, _why_ is a power of two needed for value (R2T)?
Regards, Ulrich >>> Xi Wang <[email protected]> schrieb am 31.12.2011 um 23:01 in Nachricht <[email protected]>: > A large max_r2t could lead to integer overflow in subsequent call to > iscsi_tcp_r2tpool_alloc(), allocating a smaller buffer than expected > and leading to out-of-bounds write. > > Signed-off-by: Xi Wang <[email protected]> > Cc: [email protected] > --- > drivers/scsi/iscsi_tcp.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c > index 7c34d8e..9a1bf21 100644 > --- a/drivers/scsi/iscsi_tcp.c > +++ b/drivers/scsi/iscsi_tcp.c > @@ -687,7 +687,7 @@ static int iscsi_sw_tcp_conn_set_param(struct > iscsi_cls_conn *cls_conn, > struct iscsi_session *session = conn->session; > struct iscsi_tcp_conn *tcp_conn = conn->dd_data; > struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; > - int value; > + int value = 0; > > switch(param) { > case ISCSI_PARAM_HDRDGST_EN: > @@ -700,7 +700,7 @@ static int iscsi_sw_tcp_conn_set_param(struct > iscsi_cls_conn *cls_conn, > break; > case ISCSI_PARAM_MAX_R2T: > sscanf(buf, "%d", &value); > - if (value <= 0 || !is_power_of_2(value)) > + if (value <= 0 || value > 65536 || !is_power_of_2(value)) > return -EINVAL; > if (session->max_r2t == value) > break; -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
