[stgt] Possible overflow in spc_inquiry
Frediano Ziglio
freddy77 at gmail.com
Sun Jan 13 15:14:34 CET 2013
Hi,
in spc_inquiry copying a page yor have this code
data[0] = devtype;
data[1] = pcode;
data[2] = (vpd_pg->size >> 8);
data[3] = vpd_pg->size & 0xff;
memcpy(&data[4], vpd_pg->data, vpd_pg->size);
len = vpd_pg->size + 4;
however data points to a stack allocated buffer of 256 bytes so if
vpd_pg->size is > 252 (data copyed from byte 4) you have a possible
overflow.
vpd_pg->size is 16 bit and you use entire length just to fill data[2]
and data[3] so this seems to confirm that size could be quite big.
Happily however pages are all allocate in spc.c code and the size are
quite small so now it's not exploitable.
I was trying supporting more scsi_id emulations (like NAA).
Frediano
--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt
mailing list