On Tue, Jul 25, 2023 at 10:45:45AM +0800, Lin Ma wrote: > The function iscsi_if_set_param and iscsi_if_set_host_param converts > nlattr payload to type char* and then call C string handling functions > like sscanf and kstrdup. > > char *data = (char*)ev + sizeof(*ev); > ... > sscanf(data, "%d", &value); > > However, since the nlattr is provided by the user-space program and > the nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag > (see netlink_alloc_large_skb in netlink_sendmsg), the dirty data > remained in the heap can cause OOB read for those string handling > functions.
Reviewed-by: Chris Leech <[email protected]> -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/ZMAF1%2BP3blgBZ%2B/m%40rhel-developer-toolbox-latest.
