On Wed, May 7, 2008 at 12:43 AM, FUJITA Tomonori <[EMAIL PROTECTED]> wrote: ... > > We still have the same problem here? If a buggy (or malicious) > initiator sends a bogus cdb, alloc_len can be larger than what we > actually allocated.
Yes. For example if an application tries to "probe" the size of a modepage by doing a mode sense and specifying alloc_len == 20 for example when requesting the modepage for MM Capabilities (which is >60 bytes in size) then the memcpy() will corrupt data and tgtd will crash. > > I'll fix this bug later. > ok. thanks. _______________________________________________ Stgt-devel mailing list [email protected] https://lists.berlios.de/mailman/listinfo/stgt-devel
