On Mon, 20 Apr 2009 16:21:01 +0200 Arne Redlich <arne.redlich@xxxxxxxxxxxxxx> wrote: > Sorry for being that late in the game, but I think the patch should be > reverted: > > Am Freitag, den 03.04.2009, 00:45 +0100 schrieb Chris Webb: > > I have an amd64 host exporting around 70 iscsi targets (each with one LUN) > > using tgtd. Exporting the targets works fine, but when I run a 'sendtargets' > > discovery against the host, tgtd segfaults in conn_exit() because of heap > > corruption when it tries to free conn->rsp_buffer. > > > > (gdb) print conn->rsp.datasize > > $12 = 13104 > > > > It turns out conn->rsp_buffer is being filled beyond INCOMING_BUFSIZE (8192) > > by text_key_add() because it checks for overflow of conn->tx_size instead of > > conn->rsp.datasize. The faulty test is fixed by: > > > > Signed-off-by: Chris Webb <chris@xxxxxxxxxxxx> > > > > diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c > > --- a/usr/iscsi/iscsid.c 2009-03-28 22:54:21.000000000 +0000 > > +++ b/usr/iscsi/iscsid.c 2009-03-28 23:09:06.000000000 +0000 > > @@ -160,7 +160,7 @@ void text_key_add(struct iscsi_connectio > > if (!conn->rsp.datasize) > > conn->rsp.data = conn->rsp_buffer; > > > > - if (conn->tx_size + len > INCOMING_BUFSIZE) { > > + if (conn->rsp.datasize + len > INCOMING_BUFSIZE) { > > log_warning("Dropping key (%s=%s)", key, value); > > return; > > } > > > > > > However, I don't think this is the right fix, > > No, it actually is. Duh, you are right. I'll revert the commit and put the above. > > because sendtargets would > > remain broken as soon as the size of the target list exceeed > > INCOMING_BUFSIZE. The following patch instead realloc()s the response buffer > > if it needs to grow to accommodate the target list: > > The buffer cannot be arbitrarily reallocated. Ultimately this will lead > to a violation of the MaxRecvDSL the initiator (implicitly) declared. To > get this right the target list will have to be split into multiple PDUs, > which is AFAIK not supported. Yeah. Hmm, I can't recall why we supports MaxRecvDSL negotiation in discovery session. -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html