print_snc_pdu() doesn't check the length of ISNS_ATTR_ISCSI_NAME so that a bad pdu with a long iSCSN name could cause a buffer overflow in isns_attr_query() and send_scn_rsp(). With this patch, the maximum length of iSCSI names that print_snc_pdu() returns is 223 bytes (as iSCSI RFC defines). The buffer length in isns_attr_query() and send_scn_rsp() is long enough. Signed-off-by: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx> --- usr/iscsi/isns.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/iscsi/isns.c b/usr/iscsi/isns.c index f228112..a0f7fcb 100644 --- a/usr/iscsi/isns.c +++ b/usr/iscsi/isns.c @@ -604,6 +604,7 @@ static char *print_scn_pdu(struct isns_hdr *hdr) struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu; uint16_t function, length, flags, transaction, sequence; char *name = NULL; + static char iscsi_name[224]; get_hdr_param(hdr, function, length, flags, transaction, sequence); @@ -613,8 +614,10 @@ static char *print_scn_pdu(struct isns_hdr *hdr) switch (ntohl(tlv->tag)) { case ISNS_ATTR_ISCSI_NAME: eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value); - if (!name) - name = (char *) tlv->value; + if (!name) { + snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value); + name = iscsi_name; + } break; case ISNS_ATTR_TIMESTAMP: /* log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */ -- 1.6.5 -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html