Skip to content

Commit cea4dcf

Browse files
keesNicholas Bellinger
authored and
Nicholas Bellinger
committed
iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
1 parent 21363ca commit cea4dcf

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

Diff for: drivers/target/iscsi/iscsi_target_parameters.c

+3-5
Original file line numberDiff line numberDiff line change
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
758758
}
759759
INIT_LIST_HEAD(&extra_response->er_list);
760760

761-
strncpy(extra_response->key, key, strlen(key) + 1);
762-
strncpy(extra_response->value, NOTUNDERSTOOD,
763-
strlen(NOTUNDERSTOOD) + 1);
761+
strlcpy(extra_response->key, key, sizeof(extra_response->key));
762+
strlcpy(extra_response->value, NOTUNDERSTOOD,
763+
sizeof(extra_response->value));
764764

765765
list_add_tail(&extra_response->er_list,
766766
&param_list->extra_response_list);
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
16291629

16301630
if (phase & PHASE_SECURITY) {
16311631
if (iscsi_check_for_auth_key(key) > 0) {
1632-
char *tmpptr = key + strlen(key);
1633-
*tmpptr = '=';
16341632
kfree(tmpbuf);
16351633
return 1;
16361634
}

Diff for: drivers/target/iscsi/iscsi_target_parameters.h

+3-1
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,10 @@
11
#ifndef ISCSI_PARAMETERS_H
22
#define ISCSI_PARAMETERS_H
33

4+
#include <scsi/iscsi_proto.h>
5+
46
struct iscsi_extra_response {
5-
char key[64];
7+
char key[KEY_MAXLEN];
68
char value[32];
79
struct list_head er_list;
810
} ____cacheline_aligned;

0 commit comments

Comments
 (0)