[stgt] [RESEND] [PATCH] Fix for segfault in tgtd sendtargets

Chris Webb chris at arachsys.com
Fri Apr 3 01:45:52 CEST 2009 

I have an amd64 host exporting around 70 iscsi targets (each with one LUN)
using tgtd. Exporting the targets works fine, but when I run a 'sendtargets'
discovery against the host, tgtd segfaults in conn_exit() because of heap
corruption when it tries to free conn->rsp_buffer.

  (gdb) print conn->rsp.datasize                 
  $12 = 13104

It turns out conn->rsp_buffer is being filled beyond INCOMING_BUFSIZE (8192)
by text_key_add() because it checks for overflow of conn->tx_size instead of
conn->rsp.datasize. The faulty test is fixed by:

Signed-off-by: Chris Webb <chris at arachsys.com>

diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
--- a/usr/iscsi/iscsid.c	2009-03-28 22:54:21.000000000 +0000
+++ b/usr/iscsi/iscsid.c	2009-03-28 23:09:06.000000000 +0000
@@ -160,7 +160,7 @@ void text_key_add(struct iscsi_connectio
 	if (!conn->rsp.datasize)
 		conn->rsp.data = conn->rsp_buffer;
 
-	if (conn->tx_size + len > INCOMING_BUFSIZE) {
+	if (conn->rsp.datasize + len > INCOMING_BUFSIZE) {
 		log_warning("Dropping key (%s=%s)", key, value);
 		return;
 	}


However, I don't think this is the right fix, because sendtargets would
remain broken as soon as the size of the target list exceeed
INCOMING_BUFSIZE. The following patch instead realloc()s the response buffer
if it needs to grow to accommodate the target list:

Signed-off-by: Chris Webb <chris at arachsys.com>

diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
--- a/usr/iscsi/iscsid.c	2009-03-28 22:54:21.000000000 +0000
+++ b/usr/iscsi/iscsid.c	2009-03-28 23:26:48.000000000 +0000
@@ -160,12 +160,18 @@ void text_key_add(struct iscsi_connectio
 	if (!conn->rsp.datasize)
 		conn->rsp.data = conn->rsp_buffer;
 
-	if (conn->tx_size + len > INCOMING_BUFSIZE) {
-		log_warning("Dropping key (%s=%s)", key, value);
-		return;
+	buffer = conn->rsp_buffer;
+
+	if (conn->rsp.datasize + len > INCOMING_BUFSIZE) {
+		buffer = realloc(buffer, conn->rsp.datasize + len);
+		if (buffer)
+			conn->rsp_buffer = buffer;
+		else {
+			log_warning("Dropping key (%s=%s)", key, value);
+			return;
+		}
 	}
 
-	buffer = conn->rsp_buffer;
 	buffer += conn->rsp.datasize;
 	conn->rsp.datasize += len;
 

Best wishes,

Chris.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the stgt mailing list