diff options
author | Kees Cook <keescook@chromium.org> | 2013-05-23 21:32:17 +0400 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2013-05-31 05:07:54 +0400 |
commit | cea4dcfdad926a27a18e188720efe0f2c9403456 (patch) | |
tree | 7ae6fd132bbd1e7cd888dcaae6946cecfd20a2e1 /drivers/target/iscsi/iscsi_target_parameters.c | |
parent | 21363ca873334391992f2f424856aa864345bb61 (diff) | |
download | linux-cea4dcfdad926a27a18e188720efe0f2c9403456.tar.xz |
iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target/iscsi/iscsi_target_parameters.c')
-rw-r--r-- | drivers/target/iscsi/iscsi_target_parameters.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c index c2185fc31136..e38222191a33 100644 --- a/drivers/target/iscsi/iscsi_target_parameters.c +++ b/drivers/target/iscsi/iscsi_target_parameters.c @@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( } INIT_LIST_HEAD(&extra_response->er_list); - strncpy(extra_response->key, key, strlen(key) + 1); - strncpy(extra_response->value, NOTUNDERSTOOD, - strlen(NOTUNDERSTOOD) + 1); + strlcpy(extra_response->key, key, sizeof(extra_response->key)); + strlcpy(extra_response->value, NOTUNDERSTOOD, + sizeof(extra_response->value)); list_add_tail(&extra_response->er_list, ¶m_list->extra_response_list); @@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( if (phase & PHASE_SECURITY) { if (iscsi_check_for_auth_key(key) > 0) { - char *tmpptr = key + strlen(key); - *tmpptr = '='; kfree(tmpbuf); return 1; } |