[Stgt-devel] [PATCH spc/mmc 4/4] RESEND modesense memory corruption bug
ronnie sahlberg
ronniesahlberg
Tue May 6 22:17:49 CEST 2008
On Wed, May 7, 2008 at 12:43 AM, FUJITA Tomonori
<fujita.tomonori at lab.ntt.co.jp> wrote:
...
>
> We still have the same problem here? If a buggy (or malicious)
> initiator sends a bogus cdb, alloc_len can be larger than what we
> actually allocated.
Yes.
For example if an application tries to "probe" the size of a modepage
by doing a mode sense and specifying alloc_len == 20 for example when
requesting the
modepage for MM Capabilities (which is >60 bytes in size)
then the memcpy() will corrupt data and tgtd will crash.
>
> I'll fix this bug later.
>
ok. thanks.
More information about the stgt
mailing list