Re: potential buffer overrun in __iscsi_conn_send_pdu()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/1/14, 1:06 PM, Dan Carpenter wrote:
I never heard back on this.  It still looks like a very serious bug
with security implications etc.


Sorry about that. I must have missed the original. You are right. I should have a tested patch by tomorrow.


regards,
dan carpenter

On Mon, Jun 24, 2013 at 06:46:31PM +0300, Dan Carpenter wrote:
My static checker complains about a possible array overflow in
__iscsi_conn_send_pdu().

drivers/scsi/libiscsi.c
    743          if (data_size) {
    744                  memcpy(task->data, data, data_size);
    745                  task->data_count = data_size;
    746          } else
    747                  task->data_count = 0;
    748

"data_size" comes from skb->data and we haven't checked that it is less
than ISCSI_DEF_MAX_RECV_SEG_LEN (8192).

The call tree is:
iscsi_if_recv_msg()
iscsi_conn_send_pdu()
__iscsi_conn_send_pdu()

I'm a newbie to this code, so I'm not sure if this is a real bug or not.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux