[stgt] Possible overflow in spc_inquiry

Frediano Ziglio freddy77 at gmail.com
Sun Jan 13 15:14:34 CET 2013


Hi,
  in spc_inquiry copying a page yor have this code

  data[0] = devtype;
  data[1] = pcode;
  data[2] = (vpd_pg->size >> 8);
  data[3] = vpd_pg->size & 0xff;
  memcpy(&data[4], vpd_pg->data, vpd_pg->size);
  len = vpd_pg->size + 4;

however data points to a stack allocated buffer of 256 bytes so if
vpd_pg->size is > 252 (data copyed from byte 4) you have a possible
overflow.
vpd_pg->size is 16 bit and you use entire length just to fill data[2]
and data[3] so this seems to confirm that size could be quite big.

Happily however pages are all allocate in spc.c code and the size are
quite small so now it's not exploitable.

I was trying supporting more scsi_id emulations (like NAA).

Frediano
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the stgt mailing list