[stgt] Possible overflow in spc_inquiry
nezhinsky at gmail.com
Sun Jan 13 19:59:51 CET 2013
I've got few patches systematically fixing a number of problems in
SPC, including this one.
Going to send them soon, in a day or two.
Tomo, have you had a chance to look at the previous patches, PGR related?
On Sun, Jan 13, 2013 at 4:14 PM, Frediano Ziglio <freddy77 at gmail.com> wrote:
> in spc_inquiry copying a page yor have this code
> data = devtype;
> data = pcode;
> data = (vpd_pg->size >> 8);
> data = vpd_pg->size & 0xff;
> memcpy(&data, vpd_pg->data, vpd_pg->size);
> len = vpd_pg->size + 4;
> however data points to a stack allocated buffer of 256 bytes so if
> vpd_pg->size is > 252 (data copyed from byte 4) you have a possible
> vpd_pg->size is 16 bit and you use entire length just to fill data
> and data so this seems to confirm that size could be quite big.
> Happily however pages are all allocate in spc.c code and the size are
> quite small so now it's not exploitable.
> I was trying supporting more scsi_id emulations (like NAA).
> To unsubscribe from this list: send the line "unsubscribe stgt" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the stgt