Re: iscsi target: Set conn->sess to NULL when iscsi_login_set_conn_values fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 15 Aug 2018 10:19:14 +0000, Vincent Pelletier
<plr.vincent@xxxxxxxxx> wrote:
> Fixes a use-after-free reported by KASAN when later
> iscsi_target_login_sess_out gets called and it tries to access
> conn->sess->se_sess:

I could still hit this issue by causing a timeout, and located the
guilty kfree:

>  	ret = iscsi_login_set_conn_values(sess, conn, pdu->cid);

Here, conn->sess is set.

> -	if (unlikely(ret)) {
> -		kfree(sess);

This is the guilty kfree.

> +		ret = -ENOMEM;

This is just to be strictly compliant with the hardcoded return value
which I'm replacing with "ret". I tend to think this is wrong (hiding
a possibly more relevant error code ?), but I do not know the
surrounding code nearly enough to make a decision - so status-quo it is.

Regards,
-- 
Vincent Pelletier
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux