Hi I've got few patches systematically fixing a number of problems in SPC, including this one. Going to send them soon, in a day or two. Tomo, have you had a chance to look at the previous patches, PGR related? Alexander On Sun, Jan 13, 2013 at 4:14 PM, Frediano Ziglio <freddy77@xxxxxxxxx> wrote: > > Hi, > in spc_inquiry copying a page yor have this code > > data[0] = devtype; > data[1] = pcode; > data[2] = (vpd_pg->size >> 8); > data[3] = vpd_pg->size & 0xff; > memcpy(&data[4], vpd_pg->data, vpd_pg->size); > len = vpd_pg->size + 4; > > however data points to a stack allocated buffer of 256 bytes so if > vpd_pg->size is > 252 (data copyed from byte 4) you have a possible > overflow. > vpd_pg->size is 16 bit and you use entire length just to fill data[2] > and data[3] so this seems to confirm that size could be quite big. > > Happily however pages are all allocate in spc.c code and the size are > quite small so now it's not exploitable. > > I was trying supporting more scsi_id emulations (like NAA). > > Frediano > -- > To unsubscribe from this list: send the line "unsubscribe stgt" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
