From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [ 04/16] iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
Date: Thu, 12 Sep 2013 11:14:56 -0700 [thread overview]
Message-ID: <20130912181156.693793385@linuxfoundation.org> (raw)
In-Reply-To: <20130912181156.173326121@linuxfoundation.org>
3.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 28aaa950320fc7b8df3f6d2d34fa7833391a9b72 upstream.
This patch addresses a potential NULL pointer dereference regression in
iscsit_setup_nop_out() code, specifically for two cases when a solicited
NOPOUT triggers a ISCSI_REASON_PROTOCOL_ERROR reject to be generated.
This is because iscsi_cmd is expected to be NULL for solicited NOPOUT
case before iscsit_process_nop_out() locates the descriptor via TTT
using iscsit_find_cmd_from_ttt().
This regression was originally introduced in:
commit ba159914086f06532079fc15141f46ffe7e04a41
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Wed Jul 3 03:48:24 2013 -0700
iscsi-target: Fix iscsit_add_reject* usage for iser
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -1522,6 +1522,10 @@ int iscsit_setup_nop_out(struct iscsi_co
if (hdr->itt == RESERVED_ITT && !(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
pr_err("NOPOUT ITT is reserved, but Immediate Bit is"
" not set, protocol error.\n");
+ if (!cmd)
+ return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
+ (unsigned char *)hdr);
+
return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
(unsigned char *)hdr);
}
@@ -1531,6 +1535,10 @@ int iscsit_setup_nop_out(struct iscsi_co
" greater than MaxXmitDataSegmentLength: %u, protocol"
" error.\n", payload_length,
conn->conn_ops->MaxXmitDataSegmentLength);
+ if (!cmd)
+ return iscsit_add_reject(conn, ISCSI_REASON_PROTOCOL_ERROR,
+ (unsigned char *)hdr);
+
return iscsit_reject_cmd(cmd, ISCSI_REASON_PROTOCOL_ERROR,
(unsigned char *)hdr);
}
next prev parent reply other threads:[~2013-09-12 18:19 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 18:14 [ 00/16] 3.11.1-stable review Greg Kroah-Hartman
2013-09-12 18:14 ` [ 01/16] target: Fix trailing ASCII space usage in INQUIRY vendor+model Greg Kroah-Hartman
2013-09-12 18:14 ` [ 02/16] iscsi-target: Fix ImmediateData=Yes failure regression in >= v3.10 Greg Kroah-Hartman
2013-09-12 18:14 ` [ 03/16] iscsi-target: Fix iscsit_transport reference leak during NP thread reset Greg Kroah-Hartman
2013-09-12 18:14 ` Greg Kroah-Hartman [this message]
2013-09-12 18:14 ` [ 05/16] target: Fix se_cmd->state_list leak regression during WRITE failure Greg Kroah-Hartman
2013-09-12 18:14 ` [ 06/16] mei: me: fix hardware reset flow Greg Kroah-Hartman
2013-09-12 18:14 ` [ 07/16] usb: acm gadget: Null termintate strings table Greg Kroah-Hartman
2013-09-12 18:15 ` [ 08/16] hwmon: (k10temp) Add support for Fam16h (Kabini) Greg Kroah-Hartman
2013-09-12 18:15 ` [ 09/16] Drivers: hv: vmbus: Fix a bug in the handling of channel offers Greg Kroah-Hartman
2013-09-12 18:15 ` [ 10/16] ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT Greg Kroah-Hartman
2013-09-12 18:15 ` [ 11/16] drivers/misc/hpilo: Correct panic when an AUX iLO is detected Greg Kroah-Hartman
2013-09-12 18:15 ` [ 12/16] ASoC: fsl: Fix module build Greg Kroah-Hartman
2013-09-12 18:15 ` [ 13/16] imx-drm: imx-drm-core: Export imx_drm_encoder_get_mux_id Greg Kroah-Hartman
2013-09-12 18:15 ` [ 14/16] crypto: xor - Check for osxsave as well as avx in crypto/xor Greg Kroah-Hartman
2013-09-12 18:15 ` Greg Kroah-Hartman
2013-09-12 18:15 ` [ 15/16] drivers/rtc/rtc-max77686.c: Fix wrong register Greg Kroah-Hartman
2013-09-12 18:15 ` [ 16/16] mwifiex: do not create AP and P2P interfaces upon driver loading Greg Kroah-Hartman
2013-09-12 18:17 ` [ 00/16] 3.11.1-stable review Linus Torvalds
2013-09-12 18:18 ` Linus Torvalds
2013-09-12 18:22 ` Greg Kroah-Hartman
2013-09-12 18:27 ` Greg Kroah-Hartman
2013-09-12 21:41 ` Stefan Lippers-Hollmann
2013-09-12 21:52 ` Greg Kroah-Hartman
2013-09-13 22:59 ` Shuah Khan
2013-09-13 23:03 ` Greg Kroah-Hartman
2013-09-12 22:37 ` Guenter Roeck
2013-09-12 23:07 ` Greg Kroah-Hartman
2013-09-13 0:12 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130912181156.693793385@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.