Found by coverity. It appears as if the initiator can cause a kernel
NULL pointer dereference at will. Some might consider such behaviour
bad. My trivial patch will avoid such badness, at the cost of
potentially introducing unexpected behaviour - the internals of
iscsit_handle_nop_out() are complicated and don't always dereference
NULL.
Better patches are welcome. But in the absence of a better patch, this
at least doesn't leave trivial DoS vectors open to the public.
Signed-off-by: Joern Engel <joern@xxxxxxxxx>
---
drivers/target/iscsi/iscsi_target.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index f9d2b1255856..416824a168c2 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4007,9 +4007,9 @@ static int iscsi_target_rx_opcode(struct iscsi_conn *conn, unsigned char *buf)
cmd = NULL;
if (hdr->ttt == cpu_to_be32(0xFFFFFFFF)) {
cmd = iscsit_allocate_cmd(conn, TASK_INTERRUPTIBLE);
- if (!cmd)
- goto reject;
}
+ if (!cmd)
+ goto reject;
ret = iscsit_handle_nop_out(conn, cmd, buf);
break;
case ISCSI_OP_SCSI_TMFUNC:
--
2.0.0.rc0.1.g7b2ba98
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
