iscsi-target: fix heap buffer overflow on error

If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
author: Kees Cook <keescook@chromium.org> 2013-05-23 21:32:17 +0400
committer: Nicholas Bellinger <nab@linux-iscsi.org> 2013-05-31 05:07:54 +0400
commit: cea4dcfdad926a27a18e188720efe0f2c9403456 (patch)
tree: 7ae6fd132bbd1e7cd888dcaae6946cecfd20a2e1 /drivers/target/iscsi/iscsi_target_parameters.h
parent: 21363ca873334391992f2f424856aa864345bb61 (diff)
download: linux-cea4dcfdad926a27a18e188720efe0f2c9403456.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
index 915b06798505..a47046a752aa 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -1,8 +1,10 @@
 #ifndef ISCSI_PARAMETERS_H
 #define ISCSI_PARAMETERS_H
 
+#include <scsi/iscsi_proto.h>
+
 struct iscsi_extra_response {
-	char key[64];
+	char key[KEY_MAXLEN];
 	char value[32];
 	struct list_head er_list;
 } ____cacheline_aligned;
author	Kees Cook <keescook@chromium.org>	2013-05-23 21:32:17 +0400
committer	Nicholas Bellinger <nab@linux-iscsi.org>	2013-05-31 05:07:54 +0400
commit	cea4dcfdad926a27a18e188720efe0f2c9403456 (patch)
tree	7ae6fd132bbd1e7cd888dcaae6946cecfd20a2e1 /drivers/target/iscsi/iscsi_target_parameters.h
parent	21363ca873334391992f2f424856aa864345bb61 (diff)
download	linux-cea4dcfdad926a27a18e188720efe0f2c9403456.tar.xz