[stgt] [PATCH] iscsi: fix the handling of bogus tlv->length
FUJITA Tomonori
fujita.tomonori at lab.ntt.co.jp
Thu Jul 1 17:35:06 CEST 2010
Signed-off-by: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp>
---
usr/iscsi/isns.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/usr/iscsi/isns.c b/usr/iscsi/isns.c
index a0f7fcb..a61c72f 100644
--- a/usr/iscsi/isns.c
+++ b/usr/iscsi/isns.c
@@ -611,6 +611,9 @@ static char *print_scn_pdu(struct isns_hdr *hdr)
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
@@ -678,11 +681,17 @@ found:
/* skip status */
tlv = (struct isns_tlv *) ((char *) hdr->pdu + 4);
+
+ if (length < 4)
+ goto free_qry_mgmt;
length -= 4;
while (length) {
uint32_t vlen = ntohl(tlv->length);
+ if (vlen + sizeof(*tlv) > length)
+ vlen = length - sizeof(*tlv);
+
switch (ntohl(tlv->tag)) {
case ISNS_ATTR_ISCSI_NAME:
name = (char *) tlv->value;
--
1.6.5
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list