Merge pull request from GHSA-r278-fm99-8rgp

iscsiuio uIP input packet processing bounds checking fixes

Changelog

@@ -1,3 +1,49 @@
+open-iscsi-2.1.2 - open-iscsi-2.1.3
+
+Chris Leech (4):
+      iscsiadm buffer overflow regression when discovering many targets at once
+      check for header length underflow during checksum calculation
+      check for u8 overflow when processing TCP options
+      check for TCP urgent pointer past end of frame
+
+Gulam Mohamed (1):
+      iscsid: Poll timeout value to 1 minute for iscsid
+
+Khem Raj (1):
+      libopeniscsiusr: Compare with max int instead of max long
+
+Lee Duncan (4):
+      Add ability to attempt target logins asynchronously
+      Implement login "no_wait" for iscsiadm NODE mode
+      Updated iscsiadm man page.
+      iscsiadm: fix host stats mode coredump
+
+Wenchao Hao (15):
+      Fix memory leak in sysfs_get_str
+      iscsiadm: Optimize the the verification of mode paramters
+      Update .gitignore for cscope and gtags data base
+      iscsi_sysfs: Fix NULL pointer deference in iscsi_sysfs_read_iface
+      iscsi-iname: Verify open() return value before calling read()
+      iscsiuio: Fix invalid parameter when call fstat()
+      open-iscsi: Fix invalid pointer deference in find_initiator()
+      open-iscsi: Fix NULL pointer dereference in mgmt_ipc_read_req()
+      iscsi_net_util: Fix NULL pointer dereference in find_vlan_dev()
+      open-iscsi: Clean user_param list when process exit
+      fwparam_ppc: Fix NULL pointer dereference in find_devtree()
+      sysfs: Verify parameter of sysfs_device_get()
+      fwparam_ppc: Fix illegal memory access in fwparam_ppc.c
+      iscsiuio: Remove unused macro IFNAMSIZ defined in iscsid_ipc.c
+      fwparam_ppc: Fix memory leak in fwparam_ppc.c
+
+Yoshifumi Kinoshita (1):
+      iscsid: fix logging level when starting and shutting down daemon
+
+gulams (1):
+      iscsid: Check Invalid Session id for stop connection
+
+sonukumar159842@gmail.com (1):
+      TODO: Update to todo list.
+
 open-iscsi-2.1.0 - open-iscsi-2.1.2
 
 Christian Glombek (1):

iscsiuio/src/uip/uip.c

@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto)
 	tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer;
 
 	upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) +
-			   tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN;
+			   tcp_ipv4_hdr->len[1]);
+	/* check for underflow from an invalid length field */
+	if (upper_layer_len < UIP_IPv4_H_LEN) {
+		/* return 0 as an invalid checksum */
+		return 0;
+	}
+	upper_layer_len -= UIP_IPv4_H_LEN;
 
 	/* First sum pseudoheader. */
 	/* IP protocol and length fields. This addition cannot carry. */
@@ -1789,16 +1795,18 @@ void uip_process(struct uip_stack *ustack, u8_t flag)
 			} else {
 				/* All other options have a length field, so
 				   that we easily can skip past them. */
-				if (ustack->
-				    uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 +
-					    c] == 0) {
+				if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) {
 					/* If the length field is zero, the
 					   options are malformed
 					   and we don't process them further. */
 					break;
 				}
-				c += ustack->uip_buf[uip_ip_tcph_len +
-						     UIP_LLH_LEN + 1 + c];
+				if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) {
+					/* u8 overflow, actually there should
+					 * never be more than 40 bytes of options */
+					break;
+				}
+				c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c];
 			}
 		}
 	}
@@ -2004,6 +2012,14 @@ void uip_process(struct uip_stack *ustack, u8_t flag)
 							   further. */
 							break;
 						}
+						if ((ustack->uip_buf[uip_ip_tcph_len
+							  + UIP_LLH_LEN + 1 +
+							  c]) > (256 - c)) {
+							/* u8 overflow, actually there should
+							 * never be more than 40 bytes of
+							 * options */
+							break;
+						}
 						c += ustack->
 						    uip_buf[uip_ip_tcph_len +
 							    UIP_LLH_LEN + 1 +
@@ -2079,11 +2095,16 @@ void uip_process(struct uip_stack *ustack, u8_t flag)
 		} else {
 			uip_urglen = 0;
 #else /* UIP_URGDATA > 0 */
-			ustack->uip_appdata =
-			    ((char *)ustack->uip_appdata) +
-			    ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]);
-			ustack->uip_len -=
-			    (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			if (tmp16 <= ustack->uip_len) {
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16;
+				ustack->uip_len -= tmp16;
+			} else {
+				/* invalid urgent pointer length greater than frame */
+				/* we're discarding urgent data anyway, throw it all out */
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len;
+				ustack->uip_len = 0;
+			}
 #endif /* UIP_URGDATA > 0 */
 		}
 

libopeniscsiusr/version.h

@@ -25,6 +25,6 @@
  * This may not be the same value as the kernel versions because
  * some other maintainer could merge a patch without going through us
  */
-#define ISCSI_VERSION_STR	"2.1.2"
+#define ISCSI_VERSION_STR	"2.1.3"
 
 #endif  /* End of __ISCSI_OPEN_USR_VERSION_H__ */

usr/version.h

@@ -6,7 +6,7 @@
  * This may not be the same value as the kernel versions because
  * some other maintainer could merge a patch without going through us
  */
-#define ISCSI_VERSION_STR	"2.1.2"
+#define ISCSI_VERSION_STR	"2.1.3"
 #define ISCSI_VERSION_FILE	"/sys/module/scsi_transport_iscsi/version"
 
 #endif