[Stgt-devel] [PATCH spc/mmc 4/4] RESEND modesense memory corruption bug

ronnie sahlberg ronniesahlberg
Tue May 6 22:17:49 CEST 2008

On Wed, May 7, 2008 at 12:43 AM, FUJITA Tomonori
<fujita.tomonori at lab.ntt.co.jp> wrote:
> We still have the same problem here? If a buggy (or malicious)
> initiator sends a bogus cdb, alloc_len can be larger than what we
> actually allocated.


For example if an application tries to "probe" the size of a modepage
by doing a mode sense and specifying alloc_len == 20 for example when
requesting the
modepage for MM Capabilities (which is >60 bytes in size)
then the memcpy() will corrupt data and tgtd will crash.

> I'll fix this bug later.

ok. thanks.

More information about the stgt mailing list