[stgt] [RESEND] [PATCH] Fix for segfault in tgtd sendtargets
FUJITA Tomonori
fujita.tomonori at lab.ntt.co.jp
Tue Apr 21 01:12:32 CEST 2009
On Mon, 20 Apr 2009 16:21:01 +0200
Arne Redlich <arne.redlich at googlemail.com> wrote:
> Sorry for being that late in the game, but I think the patch should be
> reverted:
>
> Am Freitag, den 03.04.2009, 00:45 +0100 schrieb Chris Webb:
> > I have an amd64 host exporting around 70 iscsi targets (each with one LUN)
> > using tgtd. Exporting the targets works fine, but when I run a 'sendtargets'
> > discovery against the host, tgtd segfaults in conn_exit() because of heap
> > corruption when it tries to free conn->rsp_buffer.
> >
> > (gdb) print conn->rsp.datasize
> > $12 = 13104
> >
> > It turns out conn->rsp_buffer is being filled beyond INCOMING_BUFSIZE (8192)
> > by text_key_add() because it checks for overflow of conn->tx_size instead of
> > conn->rsp.datasize. The faulty test is fixed by:
> >
> > Signed-off-by: Chris Webb <chris at arachsys.com>
> >
> > diff -uNrp a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
> > --- a/usr/iscsi/iscsid.c 2009-03-28 22:54:21.000000000 +0000
> > +++ b/usr/iscsi/iscsid.c 2009-03-28 23:09:06.000000000 +0000
> > @@ -160,7 +160,7 @@ void text_key_add(struct iscsi_connectio
> > if (!conn->rsp.datasize)
> > conn->rsp.data = conn->rsp_buffer;
> >
> > - if (conn->tx_size + len > INCOMING_BUFSIZE) {
> > + if (conn->rsp.datasize + len > INCOMING_BUFSIZE) {
> > log_warning("Dropping key (%s=%s)", key, value);
> > return;
> > }
> >
> >
> > However, I don't think this is the right fix,
>
> No, it actually is.
Duh, you are right. I'll revert the commit and put the above.
> > because sendtargets would
> > remain broken as soon as the size of the target list exceeed
> > INCOMING_BUFSIZE. The following patch instead realloc()s the response buffer
> > if it needs to grow to accommodate the target list:
>
> The buffer cannot be arbitrarily reallocated. Ultimately this will lead
> to a violation of the MaxRecvDSL the initiator (implicitly) declared. To
> get this right the target list will have to be split into multiple PDUs,
> which is AFAIK not supported.
Yeah.
Hmm, I can't recall why we supports MaxRecvDSL negotiation in
discovery session.
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list