From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>,
Roland Dreier <roland@purestorage.com>,
Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 3.10 08/18] iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value()
Date: Thu, 12 Jun 2014 16:22:12 -0700 [thread overview]
Message-ID: <20140612232213.343409621@linuxfoundation.org> (raw)
In-Reply-To: <20140612232212.960235342@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roland Dreier <roland@purestorage.com>
commit 79d59d08082dd0a0a18f8ceb78c99f9f321d72aa upstream.
In non-leading connection login, iscsi_login_non_zero_tsih_s1() calls
iscsi_change_param_value() with the buffer it uses to hold the login
PDU, not a temporary buffer. This leads to the login header getting
corrupted and login failing for non-leading connections in MC/S.
Fix this by adding a wrapper iscsi_change_param_sprintf() that handles
the temporary buffer itself to avoid confusion. Also handle sending a
reject in case of failure in the wrapper, which lets the calling code
get quite a bit smaller and easier to read.
Finally, bump the size of the temporary buffer from 32 to 64 bytes to be
safe, since "MaxRecvDataSegmentLength=" by itself is 25 bytes; with a
trailing NUL, a value >= 1M will lead to a buffer overrun. (This isn't
the default but we don't need to run right at the ragged edge here)
(Fix up context changes for v3.10.y - nab)
Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_login.c | 50 ++++++++++++++++--------------
1 file changed, 27 insertions(+), 23 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -250,6 +250,28 @@ static void iscsi_login_set_conn_values(
mutex_unlock(&auth_id_lock);
}
+static __printf(2, 3) int iscsi_change_param_sprintf(
+ struct iscsi_conn *conn,
+ const char *fmt, ...)
+{
+ va_list args;
+ unsigned char buf[64];
+
+ memset(buf, 0, sizeof buf);
+
+ va_start(args, fmt);
+ vsnprintf(buf, sizeof buf, fmt, args);
+ va_end(args);
+
+ if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
+ ISCSI_LOGIN_STATUS_NO_RESOURCES);
+ return -1;
+ }
+
+ return 0;
+}
+
/*
* This is the leading connection of a new session,
* or session reinstatement.
@@ -339,7 +361,6 @@ static int iscsi_login_zero_tsih_s2(
{
struct iscsi_node_attrib *na;
struct iscsi_session *sess = conn->sess;
- unsigned char buf[32];
bool iser = false;
sess->tpg = conn->tpg;
@@ -380,26 +401,16 @@ static int iscsi_login_zero_tsih_s2(
*
* In our case, we have already located the struct iscsi_tiqn at this point.
*/
- memset(buf, 0, 32);
- sprintf(buf, "TargetPortalGroupTag=%hu", ISCSI_TPG_S(sess)->tpgt);
- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
- ISCSI_LOGIN_STATUS_NO_RESOURCES);
+ if (iscsi_change_param_sprintf(conn, "TargetPortalGroupTag=%hu", sess->tpg->tpgt))
return -1;
- }
/*
* Workaround for Initiators that have broken connection recovery logic.
*
* "We would really like to get rid of this." Linux-iSCSI.org team
*/
- memset(buf, 0, 32);
- sprintf(buf, "ErrorRecoveryLevel=%d", na->default_erl);
- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
- ISCSI_LOGIN_STATUS_NO_RESOURCES);
+ if (iscsi_change_param_sprintf(conn, "ErrorRecoveryLevel=%d", na->default_erl))
return -1;
- }
if (iscsi_login_disable_FIM_keys(conn->param_list, conn) < 0)
return -1;
@@ -411,12 +422,9 @@ static int iscsi_login_zero_tsih_s2(
unsigned long mrdsl, off;
int rc;
- sprintf(buf, "RDMAExtensions=Yes");
- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
- ISCSI_LOGIN_STATUS_NO_RESOURCES);
+ if (iscsi_change_param_sprintf(conn, "RDMAExtensions=Yes"))
return -1;
- }
+
/*
* Make MaxRecvDataSegmentLength PAGE_SIZE aligned for
* Immediate Data + Unsolicitied Data-OUT if necessary..
@@ -446,12 +454,8 @@ static int iscsi_login_zero_tsih_s2(
pr_warn("Aligning ISER MaxRecvDataSegmentLength: %lu down"
" to PAGE_SIZE\n", mrdsl);
- sprintf(buf, "MaxRecvDataSegmentLength=%lu\n", mrdsl);
- if (iscsi_change_param_value(buf, conn->param_list, 0) < 0) {
- iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
- ISCSI_LOGIN_STATUS_NO_RESOURCES);
+ if (iscsi_change_param_sprintf(conn, "MaxRecvDataSegmentLength=%lu\n", mrdsl))
return -1;
- }
}
return 0;
next prev parent reply other threads:[~2014-06-12 23:24 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-12 23:22 [PATCH 3.10 00/18] 3.10.44-stable review Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 01/18] fs,userns: Change inode_capable to capable_wrt_inode_uidgid Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 02/18] mlx4_en: dont use napi_synchronize inside mlx4_en_netpoll Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 03/18] ARM: mvebu: fix NOR bus-width in Armada XP GP Device Tree Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 04/18] ARM: mvebu: fix NOR bus-width in Armada XP OpenBlocks AX3 " Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 05/18] netfilter: ipv4: defrag: set local_df flag on defragmented skb Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 06/18] Target/iscsi,iser: Avoid accepting transport connections during stop stage Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 07/18] iser-target: Fix multi network portal shutdown regression Greg Kroah-Hartman
2014-06-12 23:22 ` Greg Kroah-Hartman [this message]
2014-06-12 23:22 ` [PATCH 3.10 09/18] target: Allow READ_CAPACITY opcode in ALUA Standby access state Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 10/18] target: Fix alua_access_state attribute OOPs for un-configured devices Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 11/18] mm: compaction: reset cached scanner pfns before reading them Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 12/18] mm: compaction: detect when scanners meet in isolate_freepages Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 13/18] mm/compaction: make isolate_freepages start at pageblock boundary Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 14/18] auditsc: audit_krule mask accesses need bounds checking Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 15/18] SCSI: megaraid: Use resource_size_t for PCI resources, not long Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 16/18] mei: me: drop harmful wait optimization Greg Kroah-Hartman
2014-06-13 5:45 ` [PATCH 3.10 00/18] 3.10.44-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140612232213.343409621@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=roland@purestorage.com \
--cc=santosh.kulkarni@calsoftinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.