On Wed, May 7, 2008 at 12:43 AM, FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp> wrote: ... > > We still have the same problem here? If a buggy (or malicious) > initiator sends a bogus cdb, alloc_len can be larger than what we > actually allocated. Yes. For example if an application tries to "probe" the size of a modepage by doing a mode sense and specifying alloc_len == 20 for example when requesting the modepage for MM Capabilities (which is >60 bytes in size) then the memcpy() will corrupt data and tgtd will crash. > > I'll fix this bug later. > ok. thanks. |