[stgt] [PATCH] iscsi: fix buffer overflow before login

[FUJITA Tomonori]

I've merged the following patch to fix this security issue:

http://lwn.net/Articles/432499/

=
From: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp>
Subject: [PATCH] iscsi: fix buffer overflow before login

Needs to check if the received data isn't larger than
INCOMING_BUFSIZE.

Signed-off-by: FUJITA Tomonori <fujita.tomonori at lab.ntt.co.jp>
---
 usr/iscsi/iscsid.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
index f739a12..abb6429 100644
--- a/usr/iscsi/iscsid.c
+++ b/usr/iscsi/iscsid.c
@@ -1979,6 +1979,13 @@ again:
 		conn->req.ahssize = conn->req.bhs.hlength * 4;
 		conn->req.datasize = ntoh24(conn->req.bhs.dlength);
 		conn->rx_size = conn->req.ahssize;
+
+		if (conn->state != STATE_SCSI &&
+		    conn->req.ahssize > INCOMING_BUFSIZE) {
+			conn->state = STATE_CLOSE;
+			return;
+		}
+
 		if (conn->rx_size) {
 			conn->rx_buffer = conn->req.ahs;
 			conn->rx_iostate = IOSTATE_RX_AHS;
@@ -2031,6 +2038,14 @@ again:
 		if (conn->rx_size) {
 			conn->rx_iostate = IOSTATE_RX_DATA;
 			conn->rx_buffer = conn->req.data;
+
+			if (conn->state != STATE_SCSI) {
+				if (conn->req.ahssize + conn->rx_size >
+				    INCOMING_BUFSIZE) {
+					conn->state = STATE_CLOSE;
+					return;
+				}
+			}
 		} else {
 			conn->rx_iostate = IOSTATE_RX_END;
 			break;
-- 
1.7.2.3

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html