On 9/1/14, 1:06 PM, Dan Carpenter wrote:
I never heard back on this. It still looks like a very serious bug with security implications etc.
Sorry about that. I must have missed the original. You are right. I should have a tested patch by tomorrow.
regards, dan carpenter On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:My static checker complains about a possible array overflow in __iscsi_conn_send_pdu(). drivers/scsi/libiscsi.c 743 if (data_size) { 744 memcpy(task->data, data, data_size); 745 task->data_count = data_size; 746 } else 747 task->data_count = 0; 748 "data_size" comes from skb->data and we haven't checked that it is less than ISCSI_DEF_MAX_RECV_SEG_LEN (8192). The call tree is: iscsi_if_recv_msg() iscsi_conn_send_pdu() __iscsi_conn_send_pdu() I'm a newbie to this code, so I'm not sure if this is a real bug or not. regards, dan carpenter
-- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
