[stgt] [PATCH] iscsi: fix isns_attr_query() and send_scn_rsp() buffer overflow

[FUJITA Tomonori]

print_snc_pdu() doesn't check the length of ISNS_ATTR_ISCSI_NAME so
that a bad pdu with a long iSCSN name could cause a buffer overflow in
isns_attr_query() and send_scn_rsp().

With this patch, the maximum length of iSCSI names that
print_snc_pdu() returns is 223 bytes (as iSCSI RFC defines). The
buffer length in isns_attr_query() and send_scn_rsp() is long
enough.

Signed-off-by: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp>
---
 usr/iscsi/isns.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/usr/iscsi/isns.c b/usr/iscsi/isns.c
index f228112..a0f7fcb 100644
--- a/usr/iscsi/isns.c
+++ b/usr/iscsi/isns.c
@@ -604,6 +604,7 @@ static char *print_scn_pdu(struct isns_hdr *hdr)
 	struct isns_tlv *tlv = (struct isns_tlv *) hdr->pdu;
 	uint16_t function, length, flags, transaction, sequence;
 	char *name = NULL;
+	static char iscsi_name[224];
 
 	get_hdr_param(hdr, function, length, flags, transaction, sequence);
 
@@ -613,8 +614,10 @@ static char *print_scn_pdu(struct isns_hdr *hdr)
 		switch (ntohl(tlv->tag)) {
 		case ISNS_ATTR_ISCSI_NAME:
 			eprintf("scn name: %u, %s\n", vlen, (char *) tlv->value);
-			if (!name)
-				name = (char *) tlv->value;
+			if (!name) {
+				snprintf(iscsi_name, sizeof(iscsi_name), (char *)tlv->value);
+				name = iscsi_name;
+			}
 			break;
 		case ISNS_ATTR_TIMESTAMP:
 /* 			log_error("%u : %u : %" PRIx64, ntohl(tlv->tag), vlen, */
-- 
1.6.5

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html