Re: potential buffer overrun in __iscsi_conn_send_pdu()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I never heard back on this.  It still looks like a very serious bug
with security implications etc.

regards,
dan carpenter

On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
> My static checker complains about a possible array overflow in
> __iscsi_conn_send_pdu().
> 
> drivers/scsi/libiscsi.c
>    743          if (data_size) {
>    744                  memcpy(task->data, data, data_size);
>    745                  task->data_count = data_size;
>    746          } else
>    747                  task->data_count = 0;
>    748  
> 
> "data_size" comes from skb->data and we haven't checked that it is less
> than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).
> 
> The call tree is:
> iscsi_if_recv_msg()
> iscsi_conn_send_pdu()
> __iscsi_conn_send_pdu()
> 
> I'm a newbie to this code, so I'm not sure if this is a real bug or not.
> 
> regards,
> dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux