On Mon, Jun 30, 2014 at 07:02:20AM -0700, Roland Dreier wrote:
> Hi Nic/Greg,
>
> Sorry for not paying close enough attention when this went by, but it
> looks like the backport of commit 79d59d08082d ("iscsi-target: Fix
> wrong buffer / buffer overrun in iscsi_change_param_value()") to 3.10,
> namely commit d5c55fa31a29, is incorrect.
>
> In particular, the upstream version of iscsi_target_login.c has the
> following code, brought in by 79d59d08082d:
>
> static int iscsi_login_non_zero_tsih_s2(
> struct iscsi_conn *conn,
> unsigned char *buf)
> {
>
> ...
>
> if (iscsi_change_param_sprintf(conn, "TargetPortalGroupTag=%hu", sess->tpg->tpgt))
> return -1;
>
> while the 3.10.45 / d5c55fa31a29 version still has:
>
> static int iscsi_login_non_zero_tsih_s2(
> struct iscsi_conn *conn,
> unsigned char *buf)
> {
>
> ...
>
> memset(buf, 0, 32);
> sprintf(buf, "TargetPortalGroupTag=%hu", ISCSI_TPG_S(sess)->tpgt);
> if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
> iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
> ISCSI_LOGIN_STATUS_NO_RESOURCES);
> return -1;
> }
>
> which still has the bug of using the "buf" parameter as a temporary
> buffer.
>
> So I think we want the patch below applied to 3.10. I checked the
> 3.14 tree and it looks OK.
Thanks, I've now queued this up.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html