Re: [SCSI] be2iscsi: adding functionality to change network settings using iscsiadm

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mike Christie <michaelc@cs.wisc.edu>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-scsi@vger.kernel.org, Kees Cook <keescook@chromium.org>,
	Jayamohan Kallickal <jayamohan.kallickal@emulex.com>
Subject: Re: [SCSI] be2iscsi: adding functionality to change network settings using iscsiadm
Date: Thu, 04 Sep 2014 22:09:55 -0500	[thread overview]
Message-ID: <54092983.70604@cs.wisc.edu> (raw)
In-Reply-To: <20140904102734.GA21504@mwanda>

[-- Attachment #1: Type: text/plain, Size: 2018 bytes --]

On 09/04/2014 05:27 AM, Dan Carpenter wrote:
> Hello Mike Christie,
> 
> The patch 0e43895ec1f4: "[SCSI] be2iscsi: adding functionality to
> change network settings using iscsiadm" from Apr 3, 2012, leads to
> the following static checker warning:
> 
> 	drivers/scsi/be2iscsi/be_mgmt.c:945 mgmt_static_ip_modify()
> 	error: 'ip_param->len' from user is not capped properly
> 
> drivers/scsi/be2iscsi/be_mgmt.c
>    940          req->ip_params.ip_record.ip_addr.size_of_structure =
>    941                  sizeof(struct be_ip_addr_subnet_format);
>    942          req->ip_params.ip_record.ip_addr.ip_type = ip_type;
>    943  
>    944          if (ip_action == IP_ACTION_ADD) {
>    945                  memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value,
>    946                         ip_param->len);
>    947  
>    948                  if (subnet_param)
>    949                          memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
>    950                                 subnet_param->value, subnet_param->len);
>                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    951          } else {
>    952                  memcpy(req->ip_params.ip_record.ip_addr.addr,
>    953                         if_info->ip_addr.addr, ip_param->len);
>                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    954  
>    955                  memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
>    956                         if_info->ip_addr.subnet_mask, ip_param->len);
>                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    957          }
> 
> These memcpy()s can overflow.  It seems root only but it makes the
> static checker complain.
> 
> One call tree is:
> 
> beiscsi_set_static_ip() <- gets iface_ip.
>   -> mgmt_set_ip()
>      -> mgmt_static_ip_modify()
> 

Jay, I made the attached patch to fix these issues plus one more I
found. I am still waiting on getting systems at work. Could you have
your people test it?


[-- Attachment #2: be2iscsi-check-ip-buf-size.patch --]
[-- Type: text/x-patch, Size: 1495 bytes --]

diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c
index 8478506..681d4e8 100644
--- a/drivers/scsi/be2iscsi/be_mgmt.c
+++ b/drivers/scsi/be2iscsi/be_mgmt.c
@@ -943,17 +943,20 @@ mgmt_static_ip_modify(struct beiscsi_hba *phba,
 
 	if (ip_action == IP_ACTION_ADD) {
 		memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value,
-		       ip_param->len);
+		       sizeof(req->ip_params.ip_record.ip_addr.addr));
 
 		if (subnet_param)
 			memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
-			       subnet_param->value, subnet_param->len);
+			       subnet_param->value,
+			       sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
 	} else {
 		memcpy(req->ip_params.ip_record.ip_addr.addr,
-		       if_info->ip_addr.addr, ip_param->len);
+		       if_info->ip_addr.addr,
+		       sizeof(req->ip_params.ip_record.ip_addr.addr));
 
 		memcpy(req->ip_params.ip_record.ip_addr.subnet_mask,
-		       if_info->ip_addr.subnet_mask, ip_param->len);
+		       if_info->ip_addr.subnet_mask,
+		       sizeof(req->ip_params.ip_record.ip_addr.subnet_mask));
 	}
 
 	rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
@@ -981,7 +984,7 @@ static int mgmt_modify_gateway(struct beiscsi_hba *phba, uint8_t *gt_addr,
 	req->action = gtway_action;
 	req->ip_addr.ip_type = BE2_IPV4;
 
-	memcpy(req->ip_addr.addr, gt_addr, param_len);
+	memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr));
 
 	return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0);
 }

next      parent reply	other threads:[~2014-09-05  3:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20140904102734.GA21504@mwanda>
2014-09-05  3:09 ` Mike Christie [this message]
2014-09-09  6:26   ` [SCSI] be2iscsi: adding functionality to change network settings using iscsiadm Sony John-N

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8478506 dfblob:681d4e8 )
 OR (
bs:"Re: [SCSI] be2iscsi: adding functionality to change network settings using iscsiadm" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54092983.70604@cs.wisc.edu \
    --to=michaelc@cs.wisc.edu \
    --cc=dan.carpenter@oracle.com \
    --cc=jayamohan.kallickal@emulex.com \
    --cc=keescook@chromium.org \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.