[stgt] Possible overflow in spc_inquiry
freddy77 at gmail.com
Sun Jan 13 15:14:34 CET 2013
in spc_inquiry copying a page yor have this code
data = devtype;
data = pcode;
data = (vpd_pg->size >> 8);
data = vpd_pg->size & 0xff;
memcpy(&data, vpd_pg->data, vpd_pg->size);
len = vpd_pg->size + 4;
however data points to a stack allocated buffer of 256 bytes so if
vpd_pg->size is > 252 (data copyed from byte 4) you have a possible
vpd_pg->size is 16 bit and you use entire length just to fill data
and data so this seems to confirm that size could be quite big.
Happily however pages are all allocate in spc.c code and the size are
quite small so now it's not exploitable.
I was trying supporting more scsi_id emulations (like NAA).
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt