re: [SCSI] qla4xxx: fix flash/ddb support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Mike Christie,

The patch 13483730a13b: "[SCSI] qla4xxx: fix flash/ddb support" from
Dec 1, 2011, leads to the following warning:
drivers/scsi/qla4xxx/ql4_os.c:714 qla4xxx_ep_connect()
	 error: memcpy() 'dst_addr' too small (16 vs 28)

I've sort of reported this bug before because it exhibits itself in more
than one way.

  4684  static struct iscsi_endpoint *qla4xxx_get_ep_fwdb(struct scsi_qla_host *ha,
  4685                                          struct dev_db_entry *fw_ddb_entry)
  4686  {
  4687          struct iscsi_endpoint *ep;
  4688          struct sockaddr_in *addr;
  4689          struct sockaddr_in6 *addr6;
  4690          struct sockaddr *dst_addr;

addr6 is 28 bytes.
dst_addr is 16 bytes.

  4691          char *ip;
  4692  
  4693          /* TODO: need to destroy on unload iscsi_endpoint*/
  4694          dst_addr = vmalloc(sizeof(*dst_addr));

We allocate 16 bytes.

  4695          if (!dst_addr)
  4696                  return NULL;
  4697  
  4698          if (fw_ddb_entry->options & DDB_OPT_IPV6_DEVICE) {
  4699                  dst_addr->sa_family = AF_INET6;
  4700                  addr6 = (struct sockaddr_in6 *)dst_addr;
  4701                  ip = (char *)&addr6->sin6_addr;
  4702                  memcpy(ip, fw_ddb_entry->ip_addr, IPv6_ADDR_LEN);

This memcpy() is copying 16 bytes into (u8 *)dst_addr + 8 so it's
corrupting 8 bytes of data past the end of the dst_addr struct.

  4703                  addr6->sin6_port = htons(le16_to_cpu(fw_ddb_entry->port));
  4704  
  4705          } else {
  4706                  dst_addr->sa_family = AF_INET;
  4707                  addr = (struct sockaddr_in *)dst_addr;
  4708                  ip = (char *)&addr->sin_addr;
  4709                  memcpy(ip, fw_ddb_entry->ip_addr, IP_ADDR_LEN);
  4710                  addr->sin_port = htons(le16_to_cpu(fw_ddb_entry->port));
  4711          }
  4712  
  4713          ep = qla4xxx_ep_connect(ha->host, dst_addr, 0);
                                                  ^^^^^^^^
There is another memcpy() inside the call to qla4xxx_ep_connect() which
reads beyond the end of the array.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux