diff options
| author | Kees Cook <keescook@chromium.org> | 2013-05-23 10:32:17 -0700 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2013-06-19 02:16:40 +0100 |
| commit | ba73be1c56e3a459f5cd4580177e865b362d76a7 (patch) | |
| tree | 19a14fd9b15df71138cb24367140996f594d8937 /drivers/target | |
| parent | 81428790d5392ba103ff27a8e0ac0bc0a4959713 (diff) | |
| download | kernel_samsung_smdk4412-ba73be1c56e3a459f5cd4580177e865b362d76a7.zip kernel_samsung_smdk4412-ba73be1c56e3a459f5cd4580177e865b362d76a7.tar.gz kernel_samsung_smdk4412-ba73be1c56e3a459f5cd4580177e865b362d76a7.tar.bz2 | |
iscsi-target: fix heap buffer overflow on error
commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers/target')
| -rw-r--r-- | drivers/target/iscsi/iscsi_target_parameters.c | 8 | ||||
| -rw-r--r-- | drivers/target/iscsi/iscsi_target_parameters.h | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c index 5b77316..db313ba 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.c +++ b/drivers/target/iscsi/iscsi_target_parameters.c @@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response( } INIT_LIST_HEAD(&extra_response->er_list); - strncpy(extra_response->key, key, strlen(key) + 1); - strncpy(extra_response->value, NOTUNDERSTOOD, - strlen(NOTUNDERSTOOD) + 1); + strlcpy(extra_response->key, key, sizeof(extra_response->key)); + strlcpy(extra_response->value, NOTUNDERSTOOD, + sizeof(extra_response->value)); list_add_tail(&extra_response->er_list, ¶m_list->extra_response_list); @@ -1572,8 +1572,6 @@ int iscsi_decode_text_input( if (phase & PHASE_SECURITY) { if (iscsi_check_for_auth_key(key) > 0) { - char *tmpptr = key + strlen(key); - *tmpptr = '='; kfree(tmpbuf); return 1; } diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h index 6a37fd6..83eed65 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.h +++ b/drivers/target/iscsi/iscsi_target_parameters.h @@ -1,8 +1,10 @@ #ifndef ISCSI_PARAMETERS_H #define ISCSI_PARAMETERS_H +#include <scsi/iscsi_proto.h> + struct iscsi_extra_response { - char key[64]; + char key[KEY_MAXLEN]; char value[32]; struct list_head er_list; } ____cacheline_aligned; |