I've merged the following patch to fix this security issue: http://lwn.net/Articles/432499/ = From: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp> Subject: [PATCH] iscsi: fix buffer overflow before login Needs to check if the received data isn't larger than INCOMING_BUFSIZE. Signed-off-by: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp> --- usr/iscsi/iscsid.c | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c index f739a12..abb6429 100644 --- a/usr/iscsi/iscsid.c +++ b/usr/iscsi/iscsid.c @@ -1979,6 +1979,13 @@ again: conn->req.ahssize = conn->req.bhs.hlength * 4; conn->req.datasize = ntoh24(conn->req.bhs.dlength); conn->rx_size = conn->req.ahssize; + + if (conn->state != STATE_SCSI && + conn->req.ahssize > INCOMING_BUFSIZE) { + conn->state = STATE_CLOSE; + return; + } + if (conn->rx_size) { conn->rx_buffer = conn->req.ahs; conn->rx_iostate = IOSTATE_RX_AHS; @@ -2031,6 +2038,14 @@ again: if (conn->rx_size) { conn->rx_iostate = IOSTATE_RX_DATA; conn->rx_buffer = conn->req.data; + + if (conn->state != STATE_SCSI) { + if (conn->req.ahssize + conn->rx_size > + INCOMING_BUFSIZE) { + conn->state = STATE_CLOSE; + return; + } + } } else { conn->rx_iostate = IOSTATE_RX_END; break; -- 1.7.2.3 -- To unsubscribe from this list: send the line "unsubscribe stgt" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html |