Re: [RESEND] [PATCH] Fix for segfault in tgtd sendtargets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for being that late in the game, but I think the patch should be
reverted:

Am Freitag, den 03.04.2009, 00:45 +0100 schrieb Chris Webb: 
> I have an amd64 host exporting around 70 iscsi targets (each with one LUN)
> using tgtd. Exporting the targets works fine, but when I run a 'sendtargets'
> discovery against the host, tgtd segfaults in conn_exit() because of heap
> corruption when it tries to free conn->rsp_buffer.
> 
>   (gdb) print conn->rsp.datasize                 
>   $12 = 13104
> 
> It turns out conn->rsp_buffer is being filled beyond INCOMING_BUFSIZE (8192)
> by text_key_add() because it checks for overflow of conn->tx_size instead of
> conn->rsp.datasize. The faulty test is fixed by:
> 
> Signed-off-by: Chris Webb <chris@xxxxxxxxxxxx>
> 
> diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
> --- a/usr/iscsi/iscsid.c	2009-03-28 22:54:21.000000000 +0000
> +++ b/usr/iscsi/iscsid.c	2009-03-28 23:09:06.000000000 +0000
> @@ -160,7 +160,7 @@ void text_key_add(struct iscsi_connectio
>  	if (!conn->rsp.datasize)
>  		conn->rsp.data = conn->rsp_buffer;
>  
> -	if (conn->tx_size + len > INCOMING_BUFSIZE) {
> +	if (conn->rsp.datasize + len > INCOMING_BUFSIZE) {
>  		log_warning("Dropping key (%s=%s)", key, value);
>  		return;
>  	}
> 
> 
> However, I don't think this is the right fix, 

No, it actually is.

> because sendtargets would
> remain broken as soon as the size of the target list exceeed
> INCOMING_BUFSIZE. The following patch instead realloc()s the response buffer
> if it needs to grow to accommodate the target list:

The buffer cannot be arbitrarily reallocated. Ultimately this will lead
to a violation of the MaxRecvDSL the initiator (implicitly) declared. To
get this right the target list will have to be split into multiple PDUs,
which is AFAIK not supported.

Arne 

> Signed-off-by: Chris Webb <chris@xxxxxxxxxxxx>
> 
> diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
> --- a/usr/iscsi/iscsid.c	2009-03-28 22:54:21.000000000 +0000
> +++ b/usr/iscsi/iscsid.c	2009-03-28 23:26:48.000000000 +0000
> @@ -160,12 +160,18 @@ void text_key_add(struct iscsi_connectio
>  	if (!conn->rsp.datasize)
>  		conn->rsp.data = conn->rsp_buffer;
>  
> -	if (conn->tx_size + len > INCOMING_BUFSIZE) {
> -		log_warning("Dropping key (%s=%s)", key, value);
> -		return;
> +	buffer = conn->rsp_buffer;
> +
> +	if (conn->rsp.datasize + len > INCOMING_BUFSIZE) {
> +		buffer = realloc(buffer, conn->rsp.datasize + len);
> +		if (buffer)
> +			conn->rsp_buffer = buffer;
> +		else {
> +			log_warning("Dropping key (%s=%s)", key, value);
> +			return;
> +		}
>  	}
>  
> -	buffer = conn->rsp_buffer;
>  	buffer += conn->rsp.datasize;
>  	conn->rsp.datasize += len;
>  
> 
> Best wishes,
> 
> Chris.
> --
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux SCSI]     [Linux RAID]     [Linux Clusters]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]

  Powered by Linux